Network access quarantine control

Keeping dirty PCs off your network.

Network access quarantine control, or NAQC, is a set of services and utilities available in Windows Server 2003 with the Resource Kit or with Service Pack 1. It allows you to prevent remote users from connecting to your network with machines that aren't up-to-date and secure by quarantining them in a secured area before permitting unfettered access.

It's long been known to expert network administrators that most nefarious software and malware infiltrate your production network not through holes in your firewall, or brute-force password attacks or anything else that might occur at your corporate headquarters or campus.

Rather, they gain access to your wires through your mobile users when they try to connect to your business network while on the road. There's a big problem with remote users, and it hinges on the unpredictability of the machines from which they're connecting.

Most remote users are authenticated and allowed access to your network only on the basis of their identity. They can prove that they are who they say they are, and that's good enough for a lot of deployments. But problematically, no effort is made to verify that their hardware and software on their machines meets a certain baseline requirement. Remote users could, and do every day, fail any or all of the following common-sense guidelines for very basic computer security:

  • The latest service pack and the latest security hot fixes are installed.
  • The corporation-standard antivirus software is installed and running and the latest signature files are being used.
  • Internet or network routing is disabled.
  • Windows XP's ICF, or any other approved firewall, is installed, enabled and actively protecting ports on the computer.
  • You would expect your business desktops to comply with policy, particularly because of the excellent tools that are now available for distributed management.

    But mobile users have typically been either overlooked or grudgingly accepted as exceptions to the rule. Luckily, Windows Server 2003 includes a new feature in its Resource Kit, or with Service Pack 1, known as Network Access Quarantine Control (NAQC). In a nutshell, NAQC prevents unhindered access to a network for a remote user connecting to a secured endpoint until after the machine at the endpoint has verified the connecting computer's configuration meets certain requirements and standards.

    Under NAQC, when a client establishes a connection to a remote network's endpoint (a machine running the Routing and Remote Access Service included in Windows Server 2003), the destination DHCP server gives the remote, connecting computer an IP address, but a server running Microsoft's Internet Authentication Service (also included in Windows Server 2003) establishes a "quarantine mode." In quarantine mode, the following restrictions are in effect:

  • A set of packet filters is enabled that restricts the traffic sent to and received from a remote access client.
  • A session timer is enabled that limits the duration of a remote client's connection in quarantine mode before being terminated.
  • The standards with which connecting remote computers must comply are solely defined by the network administrator, and compliance is checked with a script that the administrator creates based on these guidelines.

    To use NAQC, the remote machines connecting to your NAQC-enabled endpoint need to be running Windows 98 SE, Windows ME, Windows 2000 Pro or Server, or Windows XP Home or Pro. These versions of Windows support a Connection Manager "connectoid" or profile, located in the Network Connections element in the user interface. The profile enables dial-up or VPN connectivity and contains three essential elements:

  • Connection information: the remote server IP address, encryption requirements, and so on
  • The baseline script: a simple batch file or executable used to assess the condition of the connecting client
  • A notifier: a component that talks to the secure endpoint and negotiates a lift of the client's quarantine once the baseline script is satisfied the connecting computer is secure
  • Once the remote computer is in quarantine mode, the client computer automatically executes the baseline script. If Windows runs the script and is satisfied with the result, it contacts the listening service running on the Windows Server 2003 back-end machine and reports this result. Then quarantine mode is removed and normal network access is restored. Otherwise, the client eventually is disconnected when the session timer reaches the configured limit, as described earlier.

    There are six steps to a proper deployment of NAQC:

  • Create the resources that will be available to your users in quarantine mode. You'll want users to have access to certain sites and downloads on a specially hardened server so they can fix themselves and reconnect.
  • Write the script that performs the baseline checks on remote clients attempting a connection.
  • Install the listening service on your Windows Server 2003.
  • Create a Connection Manager profile with the properties of a quarantined connection.
  • Distribute that profile to remote users, through Group Policy, e-mail, or via CD or FTP.
  • Configure the actual quarantine policy using packet filters in IAS.

    Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUS, Hardening Windows, Using Windows Small Business Server 2003 and Learning Windows Server 2003. He is currently an editor for Apress, a publishing company specialising in books for programmers and IT professionals.


  • What are your views on this subject? Use the form below to post a comment on this article up to 500 characters.


    Characters remaining: 500

    Related Networking news

    Cisco free iPhone app grabs security feeds

    Cisco SIO To Go iPhone application for IT managers on the road

    Queen's speech promises action on pirates

    Government sticks to plans to disconnect illegal file sharers

    Ombudsman faults EC's Intel antitrust ruling

    European Commission accused of "maladministration"

    Blue Coat unveils faster network security appliances

    Web security gateways acheive 1Gbps performance


    SANs tuned for virtualisation

    Whether you're using virtualisation to make large applications more manageable or to consolidate many small applications, a SAN packed with features that ease the management of storage for virtual machines is a good thing.


    Email this article to a friend or colleague:


    PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

    Techworld White Papers

    Database security: Preventing enterprise data leaks at the source

    IDC discusses the growing internal threats to business information, the impact of government regulations on the protection of data, and how enterprises must adopt database security best practices...

    Download Whitepaper

    Service-oriented security

    SOA has become an integral part of enterprise software by providing a framework to efficiently develop software as services that is easily sharable, reusable, and integrated. No where is the need more apparent than in the Identity Management space. Welcome to the age of Service-Oriented Security (SOS).

    Download Whitepaper

    Data protection prospective vendor checklist

    Organisations need a way to map business needs against all these challenges in procuring a technical solution. To help, SANS has developed the following Prospective Vendor Checklist.

    Download Whitepaper

    Unlock the power of the mainframe

    This whitepaper presents the notion of CICS as an integration hub based on a component-based, service-oriented architecture supporting Web services. Highlights will review the challenges and contrasted support for Web services natively in CICS.

    Download Whitepaper

    Techworld UK - Technology - Business

    COLT White Paper

    Are all VoIP services the same?

    Questions to ask your service provider to ensure you get the VoIP service you need
    With careful choice of partner, your business can have all the advantages of VoIP access - reduced costs, flexibility and simplicity - without the drawbacks.
    This white paper is your guide to ensure you get right the VoIP service and details the pitfalls which businesses would do well to avoid.

    Download white paper
    BMC

    Ride the express lane in the journey to speed ITIL adoption

    Explore the challenges in making the journey to ITIL and the criteria for selecting consulting services
    By following ITIL practices, your IT organisation will become more closely integrated with the business. We recommend making the journey to ITIL in a sequence of six incremental steps, the phases of which are driven through execution of a strategic transformational roadmap.

    Download white paper

    Webcast: IT Financial Management: Cost Optimisation for Efficiency and Agility.
    On Demand Webcast
    Join this webcast to learn about the techniques and technologies that can help you prove the value of IT to the business by understanding the true cost of today's IT services and those that will be necessary to deliver future success.

    Register Today

    Site Map

    IDG Network

    * *