Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide
Chapter 4 - Design the Solution
On This Page
IntroductionNow that you are familiar with the factors that your virtual private network (VPN) solution must address, you can start the design process. This design process includes identifying the essential planning elements and making a logical analysis of the solution requirements. Woodgrove National Bank has carried out their appraisal of the business, technical, and security issues that the solution must address. This chapter covers the planning issues that system architects considered, the conclusions they reached, and the resulting decisions they made to create the chosen solution. Implement Remote Access for TelecommutersWoodgrove National Bank telecommuters who work from remote locations require a consistent and reliable connection to the corporate network. Difficulties or excessive connection delays result in frustration and lack of confidence in the service. To implement VPN quarantine could increase user frustration, due to the increased time that it takes to connect to the network. Woodgrove National Bank IT must monitor connection delays and take steps to minimize these delays. Connection scripts should inform users of connection status at each stage of the connection process. Network administrators require that remote access computers comply with network access policies before they can access network resources. The best way to protect the corporate network is to quarantine remote access computers and ensure they meet network security policies before they can access network resources. Solution ConceptThe solution uses a combination of pre-connection scripts, client agents, and Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1) components. Client computers initiate the VPN connection by using a custom Connection Manager profile. A Connection Manager profile is a self-extracting executable created using the Connection Manager Administration Kit (CMAK) and includes scripts and settings. A pre-tunnel action script requires the client to update security updates before it creates the VPN connection. Remote access computers get their updates from Internet-facing servers managed by Woodgrove National Bank, the antivirus vendor and from the Windows Update Web site. The client computer makes a VPN connection after it obtains the required updates and authenticates the user's credentials against the Active Directory® directory service using Internet Authentication Service (IAS). The remote access server then restricts the incoming connection by using quarantine packet filters that only allow limited access to resources. After the client agent confirms that the computer fulfills the necessary security requirements, the remote access server drops the quarantine restrictions and the client computer can access all authorized intranet resources. Solution PrerequisitesBefore starting on a project of this nature, it is necessary to meet certain prerequisites. The following section provides some general prerequisites for VPN quarantine. Consult Users and GroupsOne of the most important steps in planning a change that affects a user service is to consult the users and groups involved. Users provide valuable feedback about issues and performance of any existing service. Users can also point out what features and experience they would like from a new service. The users must understand what to expect and what not to expect from the service. Managing expectations might be the key to gaining user acceptance. The organization can judge the success of the project if measurable objectives are set. Woodgrove operates in several countries/regions throughout the world and has regional support centers. The initial team extensively canvassed feedback from users and support teams to identify and engage potential users, groups, and support staff to include in the pilots. Recruit the Project TeamIt is important to consider the required mix of personnel and skills to implement a project of this nature. The project team must consider whether the necessary skill requirements are available in-house or if there is a need to recruit additional personal. Because not all personnel are required at all stages of the project, you must check the availability of an individual throughout the project plan. The required roles include network architects, network management, server management team, script developers, infrastructure security team, and the project management team. Solution PlanningDuring the planning process, Woodgrove considered the need to:
Implement Pilots or TestsThe size and scale of the organization govern the size and number of pilots. Woodgrove IT implemented two pilots, the first to prove the concept and engage experienced remote access users to highlight potential weak points and mitigate any business and technological issues. The initial pilot provided limited access to corporate resources to ensure no computer that seemed to comply with the security compliance had security issues. Any organization that implements a VPN quarantine solution must be satisfied that no computers that are either infected or lack the appropriate updates can bypass the quarantine security checks before the organization implements the solution and potentially exposes the corporate network. The second pilot engaged a much larger user base and included several inexperienced users to provide a more realistic test of the support issues that are likely to arise. Administer Perimeter Network Servers with Terminal ServicesThe Woodgrove IT Team uses Terminal Services administration mode to manage existing servers on the perimeter network. Woodgrove IT team must add to this list the Internet-facing update servers and VPN remote access servers. Woodgrove must consider how to update and maintain these important servers. Upgrade Quarantine ScriptsOver time, quarantine scripts should be updated with new builds of the Connection Manager profiles. Woodgrove chose to distribute the Connection Manager profiles through a Web server that requires user authentication. Remote access users receive an e-mail to notify the user of a distribution point. Collect Performance DataMeasuring performance is a key factor for improving service. Woodgrove IT must monitor the servers for performance, reliability, and security. The network team must be able to integrate the VPN quarantine solution into the existing monitoring and management structure. Solution ArchitectureThe VPN quarantine solution at Woodgrove National Bank requires the following components:
The Woodgrove IT department first considered providing support for all currently deployed versions of Windows. However, increased awareness of the threat to computers connected to the Internet led the IT department to standardize computer operating systems to Windows XP Professional with SP2. Although Woodgrove could allow computers that run Windows XP Home Edition with SP2 to connect over VPN, Woodgrove IT has decided not to support this configuration because a Windows XP Home Edition – based computer cannot join a domain. When the IT department implements the initial solution, Woodgrove intends to extend the solution to workers' home computers. One of the pre-connection checks is to confirm that Windows Firewall is enabled. Woodgrove specifies no exceptions in the script but sets exceptions such as Remote Desktop post connection. CMAK is the tool used to configure the Connection Manager profile that contains all required licensed software to commence the connection attempt, including the client notification component (RQC.exe) and the initial quarantine script. Woodgrove National Bank uses a Web server to distribute these profiles. When Woodgrove National Bank updates the Connection Manager profile, they notify users by e-mail that the new profile is mandatory by a certain date. Note: Alternate strategies could use any software distribution mechanism, such as Group Policy, Microsoft Systems Management Server (SMS) 2003, or for users who want to connect to the corporate network from home computers, placing the profile on a password-protected USB key. Remote access in Windows Server 2003 provides suitable features to act as a VPN host and router. Windows Server 2003 with SP1 includes the Remote Access Quarantine Service (RQS), a key component in the VPN quarantine solution. RQS is the server listener component, implemented as an executable file, RQS.exe. The CMAK includes notification component (RQC.exe). The quarantine port filter only allows communications between a quarantined VPN client and limited resources on the network. The packet filters allow the client agent to communicate to the listener component on the remote access server and enable authentication of the user to take place. IAS running on Windows Server 2003 is the Microsoft implementation of a RADIUS server and a RADIUS proxy server. The Internet Engineering Task Force (IETF) describes RADIUS in RFCs 2865 and 2866. IAS authenticates the remote access requests and provides accounting information. Woodgrove IT has contracts with several ISPs, which thereby allows roaming Internet access in several countries/regions. The ISP configures their RADIUS servers to pass authentication requests through to the Woodgrove IAS servers. This authentication process requires the use of a RADIUS proxy with the RADIUS servers at the ISP configured to point back to the Woodgrove IAS servers. By using IAS for authorization, Woodgrove can take advantage of the RADIUS accounting features to track remote access VPN use. User accounts and group memberships in Active Directory regulate remote connectivity and subsequent access to corporate resources at Woodgrove National Bank. Woodgrove National Bank also uses Group Policy objects (GPOs) to configure Windows workstations to meet corporate network security policies. How the Solution WorksThe following figure illustrates how Woodgrove National Bank implemented their VPN quarantine solution. The Woodgrove National Bank VPN quarantine solution works in the following manner:
Note: A post-connection script checks the version of the Connection Manager package. If the version on the remote computer is more than two minor or one major versions out of date, the remote computer downloads the latest Connection Manager package, informs the user, and drops the connection. The remote computer now has the latest hotfix list and the remote user can connect again. To implement this solution requires a number of processes to run on the client and server sides. The next section explains these requirements. Implement Custom Actions by Using ScriptsScripts that run at different points in the connection cycle carry out most of the client side operations for the VPN quarantine solution. One critical element of this solution depends on whether certain checks run as pre-tunnel or post-connection. If a particular check runs out of sequence, it can expose a computer to unnecessary vulnerabilities and create other difficulties. The following section contains the list of checks designed for this solution. Implement Pre-Tunnel ChecksIf the client has not already connected, Connection Manager initiates a connection to the Internet. After the client connects to the Internet, synchronous pre-tunnel actions then perform any mandatory security checks before establishing the VPN tunnel. Connection Manager runs all required security checks sequentially. Connection Manager implements each check as series of scripts. The following steps provide the working logic that the scripts require.
Note: For a description of a set of sample scripts, see Appendix A, "Sample Quarantine Scripts," of this guide. Connection Manager records the results of these pre-tunnel actions in the registry under the following key: HKEY_CURRENT_USER\Software\MyCompany\MyConnectionManager\PreTunnelResults. Pre-tunnel actions should always return success, and the Remote Access Quarantine Service agent post-connect action should check these results to determine what status to send to the VPN server. This approach allows flexible exception management without modifying Connection Manager. The following figure shows the pre-tunnel custom action script logic that Woodgrove National Bank uses. Implement Post-Connection ChecksAfter the client passes the pre-tunnel checks, Connection Manager establishes the VPN connection. Post connection scripts can perform any additional nonmandatory checks and management actions after the client obtains access to the corporate network.
The following figure provides detail of the post-connection custom action script logic. Create and Distribute Connection Manager ProfilesConnection Manager provides a convenient mechanism for giving users quick, simple, and reliable access to corporate resources. Woodgrove National Bank decided to implement its custom VPN connections through Connection Manager profiles that their IT department created using CMAK. Because Woodgrove National Bank configures connections for tens of thousands of clients and hundreds of access phone numbers, Woodgrove IT must examine the following information prior to configuration:
The following table provides some of the Connection Manager capabilities for remote access connections that Woodgrove IT uses. Table 4.1: Connection Manager features used by Woodgrove IT
Woodgrove IT can distribute the Connection Manager profiles to remote users by CD e-mail, Web site, or file share. Woodgrove National Bank already distributes software and updates through an Internet-facing Web site. Because the supporting infrastructure is already in place, Woodgrove chose to use this method to distribute Connection Manager profiles. Use IP Filters to Quarantine Network AccessThe combination of custom actions and support for vendor-specific attributes enables Connection Manager to support network-quarantined access. Vendor-specific attributes are allowed extensions of the RADIUS standard, which the RADIUS standard RFC 2138 does not define. The Microsoft vendor attributes that the Windows Server 2003 version of IAS specifies are:
MS-Quarantine-IPFilter SettingThis setting allows incoming traffic from the client notification component (RQC) after the script completes successfully. For example, the Woodgrove National Bank network must allow DNS and DHCP protocols so that a remote client can communicate with infrastructure servers during quarantine operations. Note: Using filters to allow specific protocols decreases overall security. Include such protocols in the quarantine definition only if necessary. The following table shows the TCP/IP ports that the Woodgrove National Bank Quarantine IP filter opens. Table 4.2: Open TCP/IP ports in the VPN Quarantine Filter
MS-Quarantine-Session-TimeoutThis attribute sets the maximum time-out for the client computer to remain in quarantine. If the script does not complete within this time, the remote access server disconnects the client computer. Woodgrove National Bank implemented a time-out limit of 120 seconds, which results in dropping less than one percent of incoming connections. The following figure illustrates the vendor-specific attributes that require configuration in the remote access policy to support VPN quarantine.  Figure 4.4 MS-Quarantine vendor specific attributes required for VPN Quarantine. During the pilot test process, check to see if removing any of the allowed ports in the quarantine IP filter prevents the client from connecting. Reduce the time-out value to the lowest practical setting, and then add an allowance for increased network latency or for slow links. Additional ConsiderationsThis section discusses some additional areas considered by Woodgrove IT in the implementation of VPN quarantine. Configure Logging and AccountingOne benefit of using IAS is the built-in support for logging client connections through RADIUS. Woodgrove National Bank wants to monitor which workers connect to the corporate network. Logging is not a requirement for implementing a remote access solution using VPN quarantine, but Microsoft strongly recommends doing so. RADIUS/IAS gives Woodgrove the capability to analyze connection trends, with the goal of improving the service. Each IAS RADIUS server collects user session data in SQL Server 2000 Desktop Engine (MSDE 2000), which is a lightweight, local SQL Server 2000 database. This database can collect infrastructure server performance data and client-specific data and runs on each IAS server that collects user session data. The IAS server transfers the data from MSDE to a central SQL Server 2000 database in near real time. This arrangement ensures cost-effective use of SQL Server licensing and does not inhibit performance. Woodgrove National Bank deployed regional SQL Server–based data collection servers to collect remote access session data. For more information about configuring SQL Server logging with IAS, see the Deploying SQL Server Logging with Windows Server 2003 Internet Authentication Service (IAS) topic at www.microsoft.com/downloads/details.aspx?FamilyId=6E4357F7-4070-4902-95F1-3AD411D963B2&displaylang=en Implement Pilot DeploymentsBefore you roll out any remote access solution to a production environment, you must test the solution in a pilot deployment. Ideally, the pilot deployment is a scaled down version of the planned solution. Woodgrove National Bank implemented two pilot programs: an initial pilot for experienced users and then a more general pilot with a wider range of participants. The Woodgrove IT team monitored the pilot and used the results to amend the final design. Ensure High AvailabilityBecause Woodgrove National Bank operates in a global environment with sites throughout the world, the solution scenario must be highly reliable. Therefore, Woodgrove National Bank must consider provisions for availability, which include:
Woodgrove IT uses Microsoft Application Center 2000 to provide Web application clusters and Network Load Balancing (NLB) support for their Web sites. Application Center and NLB can also provide fault tolerance for the Internet-facing update servers. Woodgrove National Bank uses NLB, a standard feature of Windows Server 2003 Enterprise Edition to load balance the IAS servers. Ensure Adequate Network BandwidthSystem architects must consider existing network paths, expected connection times, and the type and extent of the expected remote access traffic. The additional bandwidth that remote access users require should not be underestimated. The pilot deployments should help in analyzing remote access traffic and the effect it can have on the existing infrastructure. It is important that trials include typical workers with ordinary usage, because the solution cannot succeed if the service is poor. Network switches that incorporate bandwidth profiling can reduce the effects of remote access traffic on other users. Woodgrove National Bank has good Internet connectivity with high bandwidth. The Bank uses most of the existing bandwidth for internal access to the Internet for Web browsing and e-mail, so adjustments might be required to handle the additional remote access traffic. Handle Exceptions and ExclusionsThe system architects at Woodgrove National Bank understand that any solution must address situations in which business needs require the ability to grant a device or devices a temporary exception to the quarantine requirements. For example, the IT team might have to provide an exception for executive access during a critical meeting. Hence, the VPN access solution must support exceptions. The inability to provide single computer exceptions could force the administrator to remove remote access requirements. Unless the organization can address individual exceptions, the IT team cannot deploy the solution. Note: The Woodgrove IT security group should be the sole authority that determines when the business need for an exemption exceeds the security risk. The organization should consider the following exception scenarios:
One workaround to this final issue is to create input packet filters that allow the application's traffic to work as expected while the remote access client is in quarantine. The drawback to this approach is the overhead of identifying the application's network traffic and creating additional packet filters. Microsoft recommends that you keep the number of quarantine packet filters to a minimum and use pre-tunnel custom actions to overcome this issue. Implementing incorrect quarantine packet filters can expose the domain controllers to the quarantine network. Certain configurations can mitigate the delay that applications experience when they connect to a quarantine network. Although Microsoft does not recommend configurations that expose the network, organizations must provide workarounds for essential applications. The following are workarounds to consider:
Provide User FeedbackYou can provide users with feedback through the Connection Manager interface, to inform them where they are in the connection process. This helps mitigate the frustration that users feel when nothing appears to be happening. Use a Quarantine Session Time-out OnlyThis configuration involves setting the MS-Quarantine-Session-Timeout attribute but not the MS-Quarantine-IPFilter attribute. The remote access server gives the remote access client immediate normal access, unrestricted by quarantine packet filters. However, the remote access client must still send a notification message that it complies with network policies. The remote access server disconnects the client computer if it does not send the notification before the quarantine session time-out expires. The advantages to this configuration are that there is no need to configure quarantine packet filters and there are no application delay issues. Remote access occurs in the same way as if there were no quarantine. The disadvantage to this configuration is that the remote access server grants the remote access client normal access to the network for the quarantine session time-out period, even if it doesn't comply with network policies. This situation presents an obvious security hole. Use Immediate NotificationIn this configuration, the quarantine script runs RQC.exe to send the notification before any of the tests complete. The remote access server removes the quarantine restrictions from the connection and the remote access client has immediate normal access. Within the quarantine script, the network policy compliance tests still run. If any of the tests fail, the quarantine script notifies the user of the corrective actions required and automatically disconnects the user after a specific amount of time, emulating quarantine mode and the use of a quarantine session timer. Note: In this configuration, you still configure the MS-Quarantine-Session-Timeout or MS-Quarantine-IPFilter attributes to provide the required quarantine restrictions when the computer has an outdated Connection Manager package or script. The advantage of using immediate notification is that there are no application delay issues. Remote access occurs in the same way as if there were no quarantine. However, this is not a recommended approach. Apply Best PracticesThis section provides some key best practices of the Woodgrove solution. These best practices include to:
Use a Block All Traffic Quarantine PolicyUpon connection, the DHCP server assigns the client an IP address. The client notification component (RQC.exe) attempts to pass the shared key to the server listening (RQS.exe) component on the remote access server. RQS listens only on the internal IP address of the remote access server. This is the only IP address to which quarantine policy should allow communication. The IP filter should block all other traffic until RQS successfully receives the shared key from RQC and the remote access server drops the quarantine. Support Logon Using a Dial-up ConnectionWhen users select the Windows logon option Log on using a dial-up connection, VPN clients can receive Group Policy refresh in nearly the same manner as LAN clients. This setting provides unified administration of internal and remote clients. Note: There is no method available that can apply startup scripts and computer software assignments over a dial-up connection. Using this option allows users to receive notification of password expiration, and allows computers to refresh their computer accounts when required. Because Group Policy settings apply to the remote clients after the connection process, the first post-connect action in Connection Manager must be to remove the VPN quarantine. A delay in the removal of the quarantine can cause the Group Policy refresh, password expiration notification, and computer account refresh to fail. You can ensure that Group Policy settings apply equally to VPN clients and LAN clients if you disable the Group Policy Slow Link Detection setting in at least one Group Policy object that applies to all clients. The organization should test and thoroughly assess the full impact of this setting before considering implementation. You should only implement this option if it is absolutely necessary. For more information about Group Policy settings, see Introduction to Group Policy in Windows Server 2003 at www.microsoft.com/windowsserver2003/techinfo/overview/gpintro.mspx. For more information about Slow Link Detection, see Specifying Group Policy for Slow Link Detection at www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dmebb_gpu_fvfu.asp Use Pre-Tunnel Custom Actions for Mandatory Security ChecksTo avoid unnecessary delays in quarantine mode, perform all security check as pre-tunnel custom actions. If the remote access client processes these updates prior to connection, the user experience is more positive. Include Licensed Software with the Client PackageThe organization should ensure that the remote computer has all the necessary licensed software it needs to make the connection. You should distribute this software as part of the Connection Manager package to reduce support calls and configuration problems. Implement Monitoring and ManagementA VPN quarantine solution must allow the assignment and monitoring of appropriate alarms and thresholds to monitor the operational health of the solution. The solution should provide the ability to monitor the entire network, a single asset, or list of assets in real time. Monitoring must show the necessary indicators that the organization that owns operational support requires. The impact of not meeting this requirement is that the security department is unable to determine whether the solution secures remote access connections. Monitor Quarantine OperationsThe following section provides some additional considerations for monitoring VPN quarantine operations. These include:
Extend the SolutionThe VPN quarantine solution does not prevent someone from stealing a user's credentials and then attempting to log on to the network. To reduce the likelihood of this occurring, consider how to extend the solution to use digital certificates contained in smart cards. Using two-factor authentication mechanisms such as smart cards to authenticate remote access connections increases the security of your network while it allows additional employees to benefit from working from remote locations. To Implement smart cards requires the Extensible Authentication Protocol – Transport level Security (EAP-TLS) protocol. Woodgrove National Bank already has a mature Public Key Infrastructure (PKI) in place and, therefore, could extend the remote access solution to include smart cards. For more information about planning two-factor authentication, see the Secure Access Using Smart Cards Planning Guide at http://go.microsoft.com/fwlink/?LinkId=41313. SummaryThe new features in Windows Server 2003 with SP1 enable organizations to implement VPN quarantine in a reliable and fully supported manner. Proper planning of the rollout of VPN quarantine is essential to prevent unnecessary disruptions of service to remote users. This guide considered the factors and processes involved to plan a VPN quarantine implementation and described how Woodgrove National Bank implemented this solution for their network. For more information about how to implement VPN quarantine, see Appendix C, "Related Links" in this document.
|
In This Article
|
