TechNet Home > TechNet Security > Guidance > Windows Server 2003

Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide

Chapter 3 - Issues and Requirements

Updated: December 31, 2007
On This Page
IntroductionIntroduction
The Woodgrove National Bank ScenarioThe Woodgrove National Bank Scenario
Implement VPN Access for TelecommutersImplement VPN Access for Telecommuters
Use Microsoft Operations Framework Use Microsoft Operations Framework

Introduction

Using virtual private network (VPN) quarantine to help secure remote access requires that an organization implement several technologies that must integrate smoothly and operate reliably as a single unit. To achieve success, an organization must clearly understand the underlying issues and requirements of each technology, and of how it interacts with the other technologies.

This chapter analyzes the solution scenario for Woodgrove National Bank, and the issues surrounding the Woodgrove National Bank solution. Chapter 4, "Design the Solution," then incorporates this blueprint into an acceptable solution to those requirements.

The Woodgrove National Bank Scenario

Woodgrove National Bank is a fictional global investment bank that serves institutional, corporate, government, and individual clients in its role as a financial intermediary. Its business includes securities underwriting, sales, trading, financial advisory services, investment research, venture capital, and brokerage services for financial institutions.

Woodgrove National Bank is a fully owned subsidiary of WG Holding Company. WG Holding Company is a leading global financial services company headquartered in London, England. WG owns five companies: Woodgrove National Bank, NorthWind Trading, Contoso, Ltd., Litware Financials, and Humongous Insurance. All of these companies are large corporations, each employing more than 5,000 users.

Geographical Profile

Woodgrove National Bank employs more than 15,000 people in more than 60 offices worldwide. They have corporate headquarters (hub locations) that have large numbers of employees in New York (5,000 employees), London (5,200 employees), and Tokyo (500 employees). Each hub location supports several offices.

For each region served by corporate headquarters, there are a number of small secondary sites (for example, Boston and Atlanta in North America). In addition to the hub locations there are two other primary corporate locations, Sydney and Johannesburg, each of which has its own dedicated file, print, and application servers.

IT Organization Profile

Although Woodgrove National Bank has a mixed server environment with Microsoft® Windows® and UNIX, their infrastructure runs on a Windows Server backbone. The majority of servers are located in the three corporate headquarter locations at New York, London, and Tokyo. The following figure shows the layout of the corporate locations and the links between them.

PGFG0301.gif

Figure 3.1 Woodgrove National Bank network environment.
See full-sized image

Woodgrove National Bank currently uses a variety of Microsoft products and technologies for intranet and extranet services. Woodgrove National Bank uses a Windows 2000 Active Directory® directory service infrastructure, and is in the process of upgrading all domain controllers to Microsoft Windows Server™ 2003. Woodgrove has no legacy client computers; all desktop and laptop computers run Windows 2000 Professional with Service Pack 4 (SP4) or later, or Windows XP Professional with SP2 or later operating systems. The Woodgrove National Bank IT department has extensive experience with Windows Server 2003.

Cope with Regulatory Requirements

Woodgrove National Bank must operate within the requirements of the relevant financial regulatory frameworks for each country/region in which it operates. It must also comply with all applicable data protection legislation and demonstrate effective operational security.

Provide Secure Access to Remote Workers

Woodgrove National Bank provides remote access to the corporate network for sales staff, IT support workers, and corporate executives. The current remote access solution employs dial-in networking through private circuits to dedicated remote access servers that have modems or Integrated Services Digital Network (ISDN) adapters. These connections are slow and expensive when compared to broadband, particularly for remote users traveling overseas.

The increasing availability of broadband Internet access allows organizations to use VPN for remote access scenarios. Although this approach provides savings by eliminating dial-up access and provides a better user experience, the vulnerability to malicious attack increases as proprietary data traverses the Internet.

Comply with Regulatory Requirements

As a financial institution, Woodgrove Bank must comply with strict legal requirements in various countries/regions. The bank must also maintain customer confidence by protecting corporate and customer assets. Woodgrove Bank has implemented a secure computer initiative and has set strict security polices on all computers that access the company network, both on the LAN and through remote connections.

Check Software Updates

With the existing remote access solution, it is difficult to ensure that remote computers have the latest security updates and updates for applications and operating systems. The Woodgrove National Bank IT department has been unable to prevent access by unauthorized computers that use out-of-date antivirus programs or that have active viruses and might infect the network. This weakness can put the corporate network at risk and has forced Woodgrove National Bank to restrict connectivity to a small number of users.

The Woodgrove IT department must overcome these challenges and provide a secure reliable service that benefits remote workers, but does not put the corporate network at risk. The remainder of this document refers to the planning factors and choices that Woodgrove National Bank faced as it addressed the issues of implementing VPN quarantine.

Implement VPN Access for Telecommuters

Like many organizations, Woodgrove National Bank has found that many executives and account managers are more productive if they can work from home at least one day a week. For example, account managers can write proposals, plan meetings, and modify customer contact information while they are out of the office. Woodgrove National Bank wants to extend the work-from-home option to other divisions and departments, but is concerned about the risks of allowing computers the do not meet the Woodgrove IT department compliance to connect to the corporate network. Therefore, Woodgrove IT only allows employees that have domain-joined computers to connect from remote locations.

Business Issues

The team that plans the implementation of VPN access for telecommuters has identified the following issues:

Consistency. To develop and deploy a secure and reliable remote access service across the enterprise, all Woodgrove National Bank organizations and subsidiaries must adhere to a clearly defined and consistent security framework.

Well-defined roles and responsibilities. Various groups within the Woodgrove National Bank IT team have struggled with unclear roles and responsibilities in the delivery of a secure service. As the security strategy emerged, it became apparent that the organization needed to decide who should be responsible for the remote access network. Process discussions led to the evaluation of the responsibilities of IT administrative teams.

Technical Issues

The planning and the initial pilot phases identified the following technical problems:

Storage of security updates and hotfixes. Woodgrove IT decided to use Windows Update to ensure that remote access computers have the latest security updates. Because Windows Server Update Services (WSUS) uses Background Intelligent Transfer Service (BITS), Woodgrove found Internet-facing WSUS servers too slow to update remote access computers. Woodgrove IT found that to launch Internet Explorer and point the user to Windows Update achieved updates quickly and without the management overhead of supporting additional servers.

Lack of detailed alerts, monitors, or metrics. For Woodgrove National Bank to manage effectively the solution's security, quality, cost, and user experience, the Woodgrove IT support teams need accurate measurements of the quality of service of the remote access solution. Woodgrove National Bank can monitor the main aspects of remote access server performance and general remote access system health, but not the health or quality of the VPN connections.

Application delay in quarantine mode. Running a quarantine script creates a delay from the initial connection to the time when the client computer clears quarantine. The length of the delay depends on how long it takes to run the quarantine script and send the notification, and for the remote access server to remove the quarantine restrictions. However, some applications attempt to make connections immediately after the client computer makes the initial network connection. Should the VPN quarantine filters not allow the application's traffic, the remote access server drops the application's startup traffic and the application fails. Remote access users should receive training not to start applications until the connection is completed.

Security Issues

The following issues affect the security strategy for the Woodgrove National Bank implementation of VPN quarantine:

Inability to manage remote clients. Woodgrove National Bank currently lacks any established or enforced client computer standards, and has no means to enforce remote client software configurations, such as to enable Windows Firewall, as part of the logon process.

Validate software updates. Woodgrove National Bank has no way to validate the status of antivirus and other security-related software updates on a client computer prior to its connection to the corporate network. This situation can result in infected remote client computers attacking corporate assets, which results in downtime and mitigation costs.

Solution Requirements

The solution that Woodgrove National Bank implements for VPN quarantine must satisfy the following requirements:

Ensure that all remote access security requirements meet a predetermined time frame, before allowing unrestricted remote access connections onto the corporate network.

Ensure that when devices connect to the corporate network they are not accessible from other computers on the network.

Require that each computer that connects to the corporate network must conform to standardized network security policies. These polices include a specified antivirus program and full compliance with up-to-date antivirus signatures and approved security updates.

Provide a user experience that is non-intrusive, fast, and easy to use.

Allow for a simple and cost-effective client software deployment.

Monitor and log all remote access activity.

Provide a reliable and highly available service.

With these objectives in place, Woodgrove National Bank extensively researched and examined their design options. Chapter 4, "Design the Solution," presents the results of this research.

Use Microsoft Operations Framework

Woodgrove National Bank uses Microsoft Operations Framework (MOF) principles to manage and implement change within the company's network. MOF provides a collection of best practices, principles, and models that provide guidance for achieving high availability, reliability, and security. The two main areas that MOF affects are change management and operations.

For more information about MOF, see the Microsoft Operations Framework Web site on TechNet, at www.microsoft.com/technet/itsolutions/cits/mo/mof/default.mspx.

Implement Change Management

The system architects at Woodgrove National Bank appreciate that any project of this size needs effective planning and management. A management steering committee must oversee the budget, schedules, solution component development, and provide final approval for each phase of the project.

The Woodgrove National Bank IT department understands the need to test the solution and implement pilot deployments prior to deployment in the production environment. Woodgrove operates in a global environment and realizes the need to adhere to specific processes for scheduling changes and providing clear communication to management, users, and help desk personnel.

To ensure a smooth rollout of VPN quarantine, Woodgrove National Bank plans to set up virtual teams around the world. These teams must work closely to design, develop, and test the design and technologies in differing scenarios. These teams can then work to schedule, communicate, and manage changes to the remote access environment during deployment.

In addition, the Woodgrove IT department must work with the operations support teams to schedule changes, usually based on the local time that would have the smallest effect on users or business units. In most remote access scenarios, the best time to make major changes is during business hours of 9 A.M. to 5 P.M. Monday to Friday, because most remote access connections occur outside these times. However, with the increased use of remote access to support business strategy during core business hours at Woodgrove National Bank, this is not always the case. Hence, effective analysis on a location-by-location basis is required to ensure that changes have minimal effects on operations.

Monitor Operations

Woodgrove National Bank has a monitoring and alerting framework in place throughout its enterprise network that uses Microsoft Operations Manager (MOM) 2005. Woodgrove IT must extend this framework to cover the deployment of remote access solutions. Before you can monitor VPN quarantine, you must install the Routing and Remote Access Service Management Pack for MOM, available at www.microsoft.com/downloads/details.aspx?FamilyId=D1005486-2EEB-44A5-8196-5D4EB24F6EA0&displaylang=en.

To pinpoint trouble areas during deployments, Woodgrove National Bank uses data collection and analysis methods. Woodgrove National Bank IT uses a key process element that is useful in helping to manage service health. This element consists of a remote access dashboard (a suite of visual gauges) that monitors live data. The dashboard can capture, plot, and highlight single user incidents that indicate connectivity issues.

Data collection and analysis are critical to the management of services during any major changes and in the service management functions. By combining collected data and reports with help desk data, the Woodgrove National Bank IT department can determine the overall health of a service with a high degree of confidence at any given time. Operations teams can use this data to review any service-affecting event, correlate the effects to the service, and build proactive response plans and future predictability for the service.

Recording this data is extremely valuable, whether to measure daily use or to identify long-term trends. The Woodgrove IT operations support teams use Microsoft SQL Server™ 2000 and On-Line Analytical Processing (OLAP) to generate reports to track, measure, and quickly analyze:

Overall health of the service, with the ability to focus on specific areas.

Infrastructure data that reflects server health and performance.

Client data that reflects specific user experiences, such as time to connect, first-time success, specific actions that might be failing, user location, and ISP access number.

Issues that affect both service and user productivity.

Detail on the highest operational costs for budgetary and planning purposes.

Help desk ticket resolution against internal service level agreements (SLAs) to target improvements to processes or documentation.

This monitoring and operations framework provides Woodgrove National Bank with a suitable environment to implement the VPN quarantine solution. The final chapter in this guide describes how Woodgrove National Bank planned the implementation of VPN quarantine and the decisions they took before the rollout process.


**
**

Download

Get the Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions