TechNet Home > TechNet Security > Guidance > Windows Server 2003

Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide

Overview

Updated: June 30, 2005

The widespread availability of the Internet has led to significant changes in the way many organizations work. To maintain competitive advantage, organizations increasingly require employees to connect to corporate networks from remote locations such as homes, branch offices, hotels, Internet cafs, or customers' premises. These remote connections are usually implemented with virtual private network (VPN) technologies.

VPN connections allow employees and partners to connect to a corporate local area network (LAN) over a public network in a secure manner. Remote access that uses VPN technologies is a key enabler for many new business opportunities, such as remote administration and high security applications. A large number of business groups and users make use of productivity and administration applications that require frequent and dependable remote access to corporate LANs.

Although a VPN provides secure access by encrypting data though the VPN tunnel, it does not prevent intrusions by malicious software, such as viruses or worms that initiate from the remote access computer. Virus or worm attacks can result from infected computers that connect to the LAN.

Because organizations, such as those in the financial services sector, must maintain their reputation for secure transactions, even a minor security breach can harm the public perception of a company. Hence, VPN connections must be subject to strong access requirement checks and validation.

VPN access that is potentially not secure occurs when the remote computer does not meet the organization's security requirements. Most VPN implementations cannot check that a remote computer has the latest security updates or virus signatures before they connect to the corporate network. Therefore, many organizations don't consider basic VPN-based remote access meets their security requirements.

VPN quarantine provides a mechanism to address these issues. VPN quarantine ensures that computers that connect to the network using VPN protocols are subject to pre-connection and post-connection checks and are isolated until the computer meets the required security policy. These checks, carried out with custom scripts, can examine service pack versions, security updates, and if an approved antivirus program is running with the most recent virus definition files. Organizations can test for other requirements in these custom scripts.

The VPN quarantine solution places all connecting computers that meet the specified remote access policy into a quarantine network and verifies that these computers comply with the organization's security policy. The remote access VPN server lifts the quarantine restrictions and allows access to corporate network resources only when the remote access computer passes all connection checks.

This guide describes the challenges in planning and implementing quarantine services with VPN through the new features available in Microsoft Windows Server 2003 with Service Pack 1 (SP1).

On This Page
The Business ChallengeThe Business Challenge
The Business BenefitsThe Business Benefits
Who Should Read This GuideWho Should Read This Guide
Reader PrerequisitesReader Prerequisites
Planning Guide OverviewPlanning Guide Overview
Related ResourcesRelated Resources
Give Us Your FeedbackGive Us Your Feedback

The Business Challenge

Organizations face multiple challenges when providing remote access through VPN connections. These challenges vary depending upon the services provided, the regulatory framework in which the business operates, and the security environment. Typical challenges include how to:

Define an effective VPN access policy.

Reduce the likelihood that infected or non-compliant computers might connect to the corporate LAN.

Comply with legal requirements for maintaining data security and personal information.

The Business Benefits

Organizations that implement effective VPN quarantine services can realize a number of important benefits. These benefits include:

Improved secure access to corporate assets. VPN quarantine enhances network access security through strict adherence to antivirus and security update requirements.

Simplified administration and maintenance of services.Organizations can standardize on the most up-to-date and secure technologies for their VPN implementation. They can remove hardware VPN implementations, such as specialized remote access computer systems from the network infrastructure, and thereby simplify any supporting tools, documentation, and connection processes. This simplification improves the day-to-day operational support of the VPN access solution, and offsets the management costs of implementing a quarantine solution.

Improved predictability and usability of remote access.Enhanced dependability and usability encourages employees to use the VPN service, providing greater confidence in the protection of important work and critical corporate resources.

Reduced total cost of ownership (TCO). Forcing remote computers to comply with strict trustworthy computer policies reduces overall administration and support costs. These savings come from reduced support calls and from the reduced time spent dealing with attacks from viruses and worms.

Improved security for critical business information. Customer information is of paramount importance to most organizations, particularly those that operate within a regulatory environment. Keeping this information as secure as possible helps with regulatory compliance requirements and maintains the business reputation of the organization.

Improved business processes. Implementing a VPN quarantine solution improves the availability of business applications and processes for field sales executives, customer account managers, and consultants. This increased availability provides faster turnaround for decisions and improved flexibility for supplying products and services.

For more information about these benefits, see Chapter 2, "Approaches to Virtual Private Network Quarantine."

Who Should Read This Guide

This guide provides useful information for those people within a large organization who deal with strict privacy concerns, and for those who work within a heavily enforced regulatory framework. It also pertains to organizations of all sizes that require identity protection and control of access to data.

The intended audience for this guide includes technical decision makers, enterprise architects, and enterprise security administrators who plan, deploy, or operate remote access links and network security. Consultants who plan, deploy, or operate Microsoft Windows based VPN networks should also find this information useful.

Reader Prerequisites

This guide assumes its readers have a functional knowledge of remote access management concepts and technologies. To implement the solutions in the guide, readers should have an understanding of and familiarity with the following areas and technologies:

Windows Server 2003 remote access

Internet Authentication Service (IAS) or other implementations of Remote Authentication Dial-in User Service (RADIUS)

Connection Manager and Connection Manager Administration Kit (CMAK)

Scripting or batch file programs

Certificate services and public key infrastructure (PKI)

This guide covers the Operating and Supporting process model quadrants within the Microsoft Operations Framework (MOF). It also covers the Security Administration and Incident Management service management functions (SMF) within MOF. For more information about MOF, see the Microsoft Operations Framework Web site at http://www.microsoft.com/mof.

Planning Guide Overview

This guide consists of the following chapters:

Chapter 1: Introduction

This chapter provides an executive summary, introduces the business challenges and benefits of deploying VPNs with quarantine service, suggests the recommended audience for the paper, lists the reader prerequisites, and provides an overview of the chapters and solution scenarios in this guide.

Chapter 2: Approaches to VPN Quarantine

This chapter outlines the approaches to VPN quarantine access. It also discusses the essential elements for the VPN access for telecommuter scenario solution.

Chapter 3: Issues and Requirements

This chapter introduces the Woodgrove National Bank scenario. It then defines the background, business issues, technical and security issues, and the solution requirements for the VPN quarantine scenarios for Woodgrove National Bank. This chapter also discusses the solution scenario for VPN access for telecommuters, examining the business, technical and security challenges of this scenario.

Chapter 4: Design the Solution

This chapter describes in detail how to plan the scenario solution for VPN access for telecommuters. It discusses the solution concept, prerequisites, solution architecture, and describes how the solution works. Finally, the chapter describes how to extend the solution.

In addition to a general discussion of using VPN with quarantine services, this guide provides prescriptive guidance for implementing a secure remote access solution, which builds on the Woodgrove National Bank scenario introduced in this series. This scenario covers how to implement secure VPN access for telecommuters.

Microsoft created the Woodgrove National Bank scenario to illustrate the typical challenges that organizations face in providing VPN network quarantine services, and how Microsoft technologies can address these challenges. This scenario addresses how to:

Implement highly secure remote access for field sales personnel who are rarely in the office.

Provide business continuity following a major weather event, so that employees can continue to be productive from home.

Provide flexible working conditions so that workers can choose to work from home.

Deliver timely software updates to remote computers.

Related Resources

Read other security solutions from the Microsoft Solutions for Security and Compliance (MSSC) team.

Give Us Your Feedback

The Microsoft Solutions for Security and Compliance (MSSC) team would appreciate your thoughts about this and other security solutions.

Have an opinion? Let us know on the Security Solutions Blog for the IT Professional.

Or e-mail your feedback to the following address: SecWish@microsoft.com. We respond often to feedback that is sent to this mailbox.

We look forward to hearing from you.


**
**

Download

Get the Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions