[VPN] Re: VPN and quarantine

Frederic frederic at esnouf.net
Tue May 17 16:46:04 EDT 2005


Hi,

Thanks for your feedback. In fact I want to implement VPN solution based on 
Linux, mostly to connect Windows XP machines (sales forces, ...).

I already implemented this solution on Microsoft ISA Server firewalls but I 
would like to do it with Linux now.

I am using a software called QSS. this automates the A to Z process (Analyse 
the machine, send it to an 'approval server' on the lan, remotly patch the 
remote machine if it is not compliant ... and unquarantine the user if it is 
ok)

The problem is that unquarantine means tell your VPN gateway that this or 
this user has to be unquarantined .. so it requires that the VPN Servers has 
such mechanism or somthing close.

This is my main problem today.. I don't know if something is available on 
this platform. You can check my website to discover QSS : 
http://fesnouf.online.fr/ (screenshots, videos, ...)

QSS is well known in the Windows world, but I had some requests from the 
linux workd but so far did not find someone pretty trained on VPN aspact .. 
so did not find a solution.

When you see the price of a solution such as CISCO NAC (and the limited 
service it provides) .. linux is really somthing good for companies.

If you have any ideas, let me know.

Thanks again for your help. I appreciate it.




Frédéric ESNOUF (MCSE - ISA MVP)
Email : frederic at esnouf.net
Visit ISAServerFR.org



----- Original Message ----- 
From: "Tina Bird" <tbird at precision-guesswork.com>
To: "'Frédéric ESNOUF'" <frederic at esnouf.net>; <vpn at lists.shmoo.com>
Sent: Tuesday, May 17, 2005 8:30 PM
Subject: RE: [VPN] VPN and quarantine


Hi Frederic -

> First of all I need to apology because I am not a tech guy
> especially on your
> technology, so I may ask a strange question.

No apologies necessary.

Before I address your question, I should disclose that I am the security
architect for InfoExpress, a company that provides an endpoint
audit/isolate/remediate solution for remote access and LAN networks.

I should also mention that I'm teaching two vendor neutral tutorials, on the
topics of secure remote access and endpoint enforcement, at USENIX Security
this year. More info at

http://www.usenix.org/events/sec05/

> CISCO called this project NAC, Microsoft supplies this with
> ISA 2004 as a
> quarantine functionality.
>
> The idea of checking the remote user configuration AFTER VPN
> authentication and
> BEFORE any flow of data on the private lan is interesting.

Yep. Since mobile machines are a major source of problems, VPNs are a good
target - also because you've already got the remote system in something of a
captive environment, it's easier to control its access.

> I would like to know if I can implement this solution with a Linux OS.
>
> Could you advise me ? Give me some links ?

The lovely thing about Linux is that the answer is always "Sure!" But then
you've got to make it work.

Are you using Linux for the VPN server/concentrator? How many VPN servers do
you have connecting into your network? What about dial-up?

What kinds of endpoints do you want to inspect? Do you already have scripts
or tools that collect the information you want?

If the endpoint is out of compliance, what do you want to happen? Should the
user be directed to a Web site? Do you want changes to be made to the
endpoint without the user being involved?

Once the endpoint has had whatever changes made, do you want to have the
user trigger a re-check manually, or do you want the re-check to happen
automatically?

Many of the "usual" truisms about roll-your-own apply. It's certainly
possible to hack together a system that only grants complete internal access
after checks have been made. The commercial products in the space save you a
lot of work. But we need to know more about your situation to really answer
the question.

cheers - tbird





More information about the VPN mailing list