TechNet Home > TechNet Security > Guidance > Windows Server 2003

Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide

Chapter 2 - Approaches to Virtual Private Network Quarantine

Published: June 30, 2005 | Updated: October 23, 2007
On This Page
IntroductionIntroduction
Virtual Private Network Quarantine OverviewVirtual Private Network Quarantine Overview
Client ComponentsClient Components
Server ComponentsServer Components
Network RequirementsNetwork Requirements

Introduction

Virtual private network (VPN) remote access connections are an increasingly mature technology. However, providing quarantine for VPN connections is a more recent concept. This chapter introduces the following elements that provide VPN quarantine services:

Client-based components

Server-based components

Network components

Note: Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1) provides a supported VPN quarantine implementation. Although Microsoft Internet Security and Acceleration (ISA) Server 2004 also provides VPN quarantine control, Microsoft Customer Support Services does not currently fully support this implementation of VPN quarantine control.

Virtual Private Network Quarantine Overview

VPN technologies allow users to access a private network through a secure and authenticated connection that runs over the top of public network services such as the Internet. These connections use a tunneling protocol that digitally seals (encrypts) each packet before routing the packets across the public network. The detail of this process varies depending upon the VPN mechanism used. The destination network receives the packets and decrypts them. The client computer simply appears to have a direct connection to the private network.

VPN quarantine works by delaying full connectivity to a private network while examining and validating the configuration of the remote access computer against organizational standards. If the computer that connects is not compliant with the organization's policy, the quarantine process can install service packs, security updates, and virus definitions before it allows the computer to connect to other network resources. Because VPN quarantine relies on checks performed by the client, a malicious user could bypass the computer checks. VPN quarantine is not designed to protect the network from a determined attacker, but rather to help prevent an authorized user who might mistakenly have a computer that is not compliant with the organization's computer configuration requirements.

Note: VPN quarantine does not guarantee a complete security solution, but helps prevent computers that have unsafe configurations from connecting to a private network. However, VPN quarantine does not protect a private network from malicious users who have obtained a valid set of credentials and who log on using computers that comply with the organization's computer health policy. VPN quarantine also does not protect against an authorized user who connects with a computer that meets the security requirements and then decides to perform a malicious attack.

Implementing VPN quarantine requires the following components:

Quarantine-compatible remote access clients

Quarantine-compatible remote access server

Quarantine-compatible Remote Access Dial-In User Service (RADIUS) server (optional)

Quarantine resources

Accounts database

Quarantine remote access policy

This section provides an overview of how these components work together to provide the VPN quarantine solution

Note:  A VPN quarantine solution can use either RADIUS or Windows authentication, although RADIUS is the preferred method. The section on how to Implement Internet Authentication Service (IAS) later in this chapter provides more information about IAS, which is the Microsoft implementation of RADIUS.

Connect Using Virtual Private Network

When a computer initiates a VPN connection to a Microsoft Windows® – based remote access server, the server performs the following actions:

1.

The remote access server allows the connection by performing checks against the configured remote access polices.

2.

The remote access server checks that the user is entitled to connect remotely.

3.

The remote access server authenticates the user credentials against the directory service or authentication service.

4.

The remote access computer assigns an IP address to the remote computer.

In standard VPN implementations, the user has access to all authorized network resources upon successful completion of these four steps. At no time does the computer check for security updates, antivirus protection, and so on.

Connect Using Virtual Private Network Quarantine

The following figure outlines one approach to VPN quarantine that utilizes resource servers located on a quarantine subnet.

Figure 2.1 The VPN quarantine process path

Figure 2.1 The VPN quarantine process path
See full-sized image

VPN quarantine implements a modified process when the user attempts to connect to the remote network. The process includes the following steps:

1.

The computer performs a pre-connection check to ensure that the computer meets certain basic requirements. These might include hotfixes, security updates, and virus signatures. The pre-connection script stores the results of this check locally. An organization could also run post connection security checks if they want.

2.

After the pre-connection checks have succeeded, the computer connects to the remote access server using VPN.

3.

The remote access server authenticates the user credentials with the RADIUS server against the stored user name and password in the Active Directory® directory service. RADIUS is an optional component in this process.

4.

If Active Directory authenticates the user, the remote access server places the client in quarantine, using the VPN quarantine remote access policy. The remote access client computer's access is limited to the quarantine resources specified by the remote access policy. Quarantine can be enforced in two possible ways on the remote access client computer: using a specific time-out period so the client computer does not stay in quarantine indefinitely or using an IP filter that restricts IP traffic to the to specified network resources network only.

5.

The post-connection script notifies the remote access server that the client complies with the specified requirements. If the connection does not meet the requirements in the specified time-out period, the script notifies the user and drops the connection.

6.

The remote access server removes the client computer from quarantine mode by removing the IP filter and grants appropriate access to network resources specified by the remote access policy.

Note: If the connection fails, the user receives a message that describes the reason for the failure.

While in quarantine mode, the client has access only to resources located in a quarantine network. This network can consist of a separate quarantine subnet, or a defined set of Internet-facing servers. The quarantine network provides resources to enable a remote computer to comply fully with the prescribed security requirements. These resources typically include a DNS server for name resolution, a Web server to publish user instructions, and a file server to download any required updates, service packs, or antivirus utilities. The remote access server implements a custom IP filter that restricts the client to specific quarantine resources. The custom IP filter allows communication only over limited ports to named computers on a separate subnet.

To use a quarantine subnet requires a long session time-out to ensure that the client computer can download all required updates if you locate the resources in the quarantine subnet. To use Internet-facing update servers and update before you make the VPN connection has the benefit that it keeps the quarantine time-out short. In both cases, the script performs the client updates, not the quarantine network itself.

The VPN quarantine access policy specifies a configurable time-out value. The remote access server terminates the connection if the client does not pass the network compliance test within a set period. For more information about VPN quarantine settings, see Chapter 4, "Design the Solution."

When you implement VPN quarantine, it is important to ensure that all solution components interoperate correctly. This next section looks at those components and briefly discusses the planning issues with each one.

Client Components

Because VPN quarantine relies on the components that run on the remote client, it is important to understand the function and configuration of these components. Connection Manager and the Connection Manager Administration Kit (CMAK) are of particular importance.

Connection Manager Overview

Connection Manager centralizes and automates the establishment and management of network connections. Connection Manager supports several key areas for VPN quarantine configuration:

Pre-connection security checks to manage client computer configurations automatically.

Post-connection security checks and logon validations.

The administrative team installs the Connection Manager client dialer software on each remote access client. This software can include more advanced features than those provided by a manually configured remote access connection.

Simplify the Connection Process

Connection Manager also simplifies the connection process for the user. It limits the number of configuration options that a user can change, which helps to ensure that the user can connect successfully. The following examples show areas in which organizations can customize Connection Manager entries:

Users can select from a list of phone numbers based on their physical location.

Users see customized graphics, icons, messages, and Help.

Connection Manager can create a dial-up connection to the Internet before it makes the VPN connection.

Connection Manager can run custom actions during the connection process, such as pre-connect and post-connect actions. Examples include resetting the dialer profile or configuring the Windows Firewall to ignore exceptions to packet filter rules.

To implement a manageable solution, administrators must be able to create and deploy Connection Manager settings to multiple computers, which requires them to create Connection Manager profiles.

Create a Connection Manager Profile

Connection Manager profiles are customized Connection Manager client dialer packages in the form of a self-extracting executable file. Network administrators can use CMAK to create these profiles. Organizations can use Active Directory Group Policy or use other software installation mechanisms, such as an Internet-facing Web server, software distribution in Microsoft Systems Management Server 2003 to deploy the resulting Connection Manager profiles to client computers.

When the user runs the executable, it installs the profile onto the local computer along with the correct settings to connect to the remote access servers. A user only has to initiate the profile name in the Connect To menu in Windows XP and the profile automatically establishes the appropriate dial-up and VPN connections.

Customize a Connection Manager Profile

The flexible design of Connection Manager enables IT administrators to write and insert modules based on specific management or security requirements. The Connection Manager Administration Kit wizard guides you through a variety of options when you configure a Connection Manager profile. For more information about the Connection Manager Administration Kit, see the Connection Manager Administration Kit topic at http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_CMAKtopnode.asp.

Implement Custom Actions in Connection Manager

You can use the CMAK wizard to include custom actions in Connection Manager profiles to automatically start programs when users connect to the network. The CMAK wizard enables you to specify custom actions to run at five different points during the connection process:

Pre-init (pre-initialization) actions. As soon as users start Connection Manager, the specified pre-initialization actions execute. These actions run before the Connection Manager logon screen appears. Note that Connection Manager pre-init actions run when the Properties dialog box is clicked or the service profile.

Pre-connect actions. As soon as a user clicks Connect, Connection Manager runs the pre-connect actions specified in the service profile. Pre-connect actions run before Connection Manager establishes a connection to the remote access service. For actions that relate specifically to tunneling, Connection Manager uses pre-tunnel actions.

Pre-tunnel actions (for VPN). Connection Manager runs pre-tunnel actions after it establishes a connection with the Internet Service Provider, but before it establishes a tunnel to the VPN server. This type of action is available only if VPN is part of a Connection Manager service profile.

Post-connect actions. Connection Manager runs post-connect actions after it establishes a tunnel. You can configure each post-connect action specified in the CMAK wizard to run every time the user connects to the remote access service.

Disconnect actions. Connection Manager runs disconnect actions immediately before it disconnects from the service. You can use the disconnect actions for routine administration, for example to gather data on total minutes online. The user can then view this information. The operations team can also use this data to analyze the user experience.

Note: Disconnect actions run even if Connection Manager did not cause the disconnection. For example, if a disruption in telephone service ends the user's connection, Connection Manager attempts to run the disconnect actions that the service profile specifies after the unexpected disconnection.

A typical pre-tunnel action might run a network policy requirements script to check the client computer for compliance. For descriptions of a network policy requirement script, see Appendix A, "Sample Quarantine Scripts," in this document.

The Remote Access Quarantine Agent

VPN quarantine currently requires a separate client agent that works with the appropriate listener component that runs on the remote access server. The client agent informs the server component that the client passes the required checks so that the remote access server can grant access to intranet resources.

Windows Server 2003 with SP1 provides a client agent (RQC.exe) that communicates with the Remote Access Quarantine Service (RQS.exe) over Transport Control Protocol (TCP) Port 7250. At the point of quarantined connection, the listening component (RQS) sends the client (RQC) a secret shared key. If the client meets the necessary conditions, the client sends the server the shared key so the remote access server can lift quarantine. You install the Remote Access Quarantine Agent as part of the Connection Manager Administration Kit.

Server Components

The central component of VPN quarantine is the VPN remote access server, which fulfills the following functions:

Runs the Remote Access Quarantine Service

Applies the remote access policy for quarantine access

Negotiates communications with the client agent

Receives notification of policy compliance from the client agent

Applies the remote access policy for unrestricted access

The Remote Access Quarantine Service in Windows Server 2003 with SP1 supports the necessary application programming interfaces (APIs) to place a remote computer into quarantine, and then remove that computer from quarantine restrictions after the client agent notifies compliance.

The Remote Access Quarantine Service is an optional component in Windows Server 2003 with SP1. The Remote Access Quarantine Service consists of an executable (RQS.exe) that listens on TCP Port 7250 for a notification from the client agent. The Remote Access Quarantine Service component in Windows 2003 Server with SP1 is the only version of the quarantine service that Microsoft Customer Support Services support.

Note: Any firewalls between the remote access server and the client must allow traffic on Port 7250. The remote access server requires you to allow incoming traffic for TCP Port 7250.

The quarantine restrictions placed on individual VPN connections consist of:

Quarantine packet filters that restrict the traffic that a quarantined remote access client can send or receive.

A quarantine session timer that restricts the amount of time the client can remain connected in quarantine mode before forcible disconnection.

Network Requirements

The network components required for a VPN quarantine solution include:

Internet Authentication Service (IAS) servers

Windows Server Update Services (WSUS) servers (optional component)

Windows Update (optional component)

Additional network components

The network also must provide the necessary bandwidth to support the solution. The network should also provide the necessary routes and gateways for efficient packet transmission.

Implement Internet Authentication Service

RADIUS offers greater flexibility for authenticating users over VPN connections, such as support for Extensible Authentication Protocol (EAP) standards. EAP enables two-factor authentication controls with digital certificates or smart cards.  

Organizations only need IAS servers if they want to configure the remote access server to use RADIUS as the authentication provider. There are many benefits with using IAS for RADIUS authentication in a VPN quarantine scenario. The use of IAS:

Enables centralized user authorization and authentication.

Integrates with Active Directory.

Provides a wide range of authorization and authentication options.

The IAS server manages the authentication process, which delivers the user’s authentication request and logon information to Active Directory. Active Directory then compares the logon information to the credentials for that remote user. If the credentials match, IAS authenticates the user. For more information about IAS, see the Internet Authentication Service Web site at www.microsoft.com/windowsserver2003/technologies/ias/default.mspx.

Note: Only IAS in Windows Server 2003 supports configuration of the advanced attributes in remote access policy profiles that are required to configure VPN quarantine. Other RADIUS implementations might not support this feature. For more information, see Chapter 4, "Design the Solution."

IAS is the only RADIUS server that supports the two vendor specific attributes that VPN quarantine requires: MS-Quarantine-Session-Timeout and MS-Quarantine-IPFilter. For more information about the importance of these two attributes, see Chapter 4, "Design the Solution."

Use Windows Server Update Services

Before remote computers can connect to resources on the intranet, you should ensure that these computers have the latest service packs and security updates. WSUS provides a centralized database of software updates that can update remote computers. The remote access client computers check for updates through a custom action in the Connection Manager profile.

WSUS is only suitable to update clients after they connect to the corporate network. Because WSUS makes use of idle bandwidth, it might take too long to update the remote access computers. For more information about WSUS, see the Microsoft Windows Server Update Services Web site at http://technet.microsoft.com/en-us/wsus/default.aspx.

Use Windows Update

Windows Update is an Internet Web site that hosts publicly available security updates and hotfixes for Microsoft operating systems. Remote computers can use Windows Update to download updates before they connect to the corporate network. Alternatively, the Automatic Updates service in Windows XP can check the Windows Update Web site on a regular basis and install security updates automatically. Windows Update is independent of Active Directory.

A pre-connection script can check if the computer fails to meet the corporate network requirements. The script can then launch Microsoft Internet Explorer and direct the user to the Windows Update Web site. For more information about Windows Update, see the Windows Update Web site at http://windowupdate.microsoft.com.

Implement Additional Network Components

VPN quarantine might require the following additional network components:

Dynamic Host Configuration Protocol (DHCP) servers. DHCP provides automatic IP address allocation for remote clients. (Recommended)

Active Directory. Active Directory provides a method to authenticate user accounts. Active Directory integrates with IAS and supports additional security facilities, such as smart card authentication. (Recommended)

Domain Name System (DNS) servers. DNS provides name resolution services so that client computers on the quarantine network can connect to the WSUS servers, Web servers, and file servers that contain the antivirus files and other updates. (Recommended)

File servers. Contain the antivirus updates and full installations of the antivirus software. Files servers are only necessary if you plan to update the remote access computers while they are in quarantine. (Optional)

Web servers. Provide instructions for end users on the process for removing their computers from quarantine and links to check that this process has completed. You can also use a Web server to distribute updates before making the VPN connection. (Optional)

For more information about how to plan to deploy these components, see Chapter 4, "Design the Solution."

This chapter examined the components that can provide VPN quarantine, which include the particular features in Windows Server 2003 with SP1. Chapter 3, "Issues and Requirements," examines the particular issues and constraints that Woodgrove National Bank faces as it implements this technology.


**
**

Download

Get the Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions