Windows Network Access Protection (NAP) simplifies Quarantine Mode

Quarantine Mode in Windows Server 2003 is useful to the security-conscious administrator, yet complicated to implement. The next iteration of Windows Server 2003 (R2) is supposed to make it easier to deploy using NAP. Learn how with this overview.

A few months ago, I wrote an article about a Windows Server 2003 feature called Quarantine Mode. In case you aren't familiar with it, Quarantine Mode allows you to verify that network clients are running an updated configuration prior to allowing them access to the network. For example, when a client attempts to access the network, you could run a check to make sure the client has the latest operating system, service packs, hot fixes, and antivirus signatures. If everything checks out okay with the client computer, it's granted access to the network in the usual manner. If the validation check fails, however, the client is given access only to the network's quarantine area. Typically, the quarantine area won't allow users to do anything except update their computers. Once the update is complete, the workstation is allowed to access the rest of the network. As I'll explain in this article, Windows Server 2003 R2 extends this concept a bit further.

Why quarantine?

Right now, you might be thinking that since you're running SMS Server or the Windows update services, all of your workstations are up to date, so there's no need to use this technology. However, your desktop computers aren't really the problem. It's relatively easy to keep a desktop up to date. The problem lies with mobile and remote users. For example, mobile users aren't constantly connected to your network, so they might miss the latest round of software updates. During that time, mobile users could potentially plug their laptop into someone else's network or into a home network and expose it to a virus or other form of malware in the process.

Another risk is computers that don't belong to the company. For example, how many times has a consultant or an auditor brought in his own laptop and asked to connect to the corporate network to get access to the Internet? Likewise, how many users sometimes dial into your network or connect to it through a VPN from a home machine? In both cases, you're allowing people to connect to your network using computers that you have no control over. Doing so could greatly undermine your network's integrity.

It would be really nice to be able to enforce a minimum security configuration for everyone who wants to connect to your network, but this isn't always practical. For example, if one of the things you're checking for is to make sure that workstations have the correct antivirus definitions, think how many licenses you would burn through if you issued an antivirus license to everyone who ever connected to your network. To get around this problem, you'd typically define which computers do and do not belong to the company. If a system does belong to the company, but fails a minimum security requirement check, you'd go ahead and update that system. If a system failed the check, but the machine didn't belong to the company, you could isolate that computer so that it couldn't access anything but the Internet.

Simplifying Quarantine Mode

As you can see, Quarantine Mode technology can really help you guarantee your network's integrity. But if this technology is so great, why isn't everyone using it? Well, as it exists currently, implementing Quarantine Mode is extremely complicated. It requires a lot of servers running specialized roles, and it also requires your development team to custom-write a lot of scripts that control the quarantine operations. This is where Network Access Protection (NAP) comes in.

Microsoft will soon be releasing a revised version of Windows Server 2003, currently code-named R2. In R2, Quarantine Mode has been replaced by NAP. NAP is designed to make Quarantine Mode easier to implement. Don't let that statement fool you, though. Even NAP doesn't offer a simple point-and-click implementation. It does, however, greatly reduce the complexities involved in deployment.

Some terms to know

Before I can explain exactly how NAP works, there are a few terms and concepts that you need to know. First, there are two different Quarantine Modes that NAP can use: DHCP quarantine and VPN quarantine. As the name implies, a DHCP-based quarantine works by integrating a quarantine enforcement component into a DHCP server. When clients try to lease or renew an IP address, the DHCP server performs the check to see if the client needs to be quarantined. The biggest advantage to using DHCP-based quarantine is that it's easy to check the security of every system on your network. The downside is that a DHCP-based quarantine isolation is not as protected as a VPN-based quarantine. A VPN-based quarantine provides much stronger protection than DHCP, but it's more complex to configure and applies only to machines requesting a VPN connection.

Another concept that you need to be familiar with is that NAP uses a hierarchical approach for determining whether a system needs to be quarantined. As I explained earlier, there are typically a number of criteria that you'll test for when deciding whether to allow a machine access to the network. For example, you might test for the operating system version, the service pack version, and the version of the antivirus definition file. There isn't a single module that tests all of these different aspects. Instead, NAP uses an individual System Health Agent (SHA) for each component being checked.

The System Health Agent's job is to send a Statement of Health (SoH) to the appropriate System Health Validator (SHV). The SHV compares the Statement of Health against the quarantine policy to see if that particular aspect of the system's configuration is compliant with the network security policy. The System Health Validator then sends the yes / no verdict to the quarantine server. It's the quarantine server's job to coordinate the responses from each of the SHVs and determine whether the machine should be quarantined.

A DHCP quarantine

Now that you know the basics of how a quarantine works, let's take a more detailed look at how a DHCP quarantine works. The process begins when a client computer boots up and requests an IP address from a DHCP server. If this is the first time that the client has attached to the network since the quarantine server was put into place, the client will not have a Statement of Health available, and will therefore be forced into Quarantine Mode. The DHCP server implements Quarantine Mode by reserving a special subnet for quarantined machines rather than assigning the machines an IP address within the subnet used by the rest of the network.

The now quarantined client then uses a quarantine agent that has been installed onto it to contact an SMS server that is accessible from within the quarantine subnet. The SMS server then deploys the required updates to the quarantined client, thus bringing it into compliance with the network security policy. Once the client has been updated, the client's Statement of Health is created. If a Statement of Health had previously existed for the client, it would simply be updated once the SMS server had deployed the necessary software. Keep in mind that in a production environment, there would likely be multiple Statements of Health that would need to be created or updated, but for the sake of simplicity, this example assumes only one criterion is being tested.

The newly updated client then sends a request for an IP address to the DHCP server. The client incorporates its Statement of Health into the request. The System Health Validator then confirms the validity of the Statement of Health and passes a message to the DHCP quarantine server indicating that the client meets network security requirements. The client is then allowed to access the network in the normal manner.

A VPN quarantine

Now let's look at how a VPN quarantine works. For demonstration purposes, we'll again assume that only a single criterion is being tested. Although a VPN quarantine is more complex than a DHCP quarantine, the basic concept remains the same.

The process starts when the client connects to the VPN server. Next, the client would initiate the authentication process by passing its authentication credentials to the VPN server via the Protected Extensible Authentication Protocol (PEAP). Assuming that the user has entered valid authentication credentials, the VPN server will then request a Statement of Health from the client.

Just as in my previous example, if the client does not have a Statement of Health, it is treated in the same way that it would be if the Statement of Health were invalid. Such a machine would therefore be quarantined from the rest of the network.

At this point, the agent on the client contacts an SMS server that exists on the quarantine network, and tells the SMS server that it has been quarantined. The SMS server then pushes the necessary updates to the quarantined client. In doing so, the client's Statement of Health is also updated. Now the client uses the PEAP protocol to send its updated Statement of Health to the VPN server. The VPN server will then use the System Health Validator to validate the Statement of Health. Assuming that the Statement of Health is up to par, the VPN server grants the client access to the network.

A few misconceptions

Now that I've shown you how the various types of quarantines work, I want to clear up a couple of common misconceptions about Quarantine Mode. First, a lot of people assume that Quarantine Mode protects the network against hackers. However, it does so only indirectly. If a hacker has an approved configuration and a valid set of logon credentials, Quarantine Mode won't stop the hacker from logging onto the network.

Another common misconception is that the quarantine is some sort of empty black hole in cyberspace. The fact is that the quarantine network is anything but empty. While an SMS server must be accessible from within Quarantine Mode, there are other components that must be accessible from Quarantine Mode as well. For starters, the quarantine network must have a DNS server. Keep in mind, though, that this server can simply be a forwarding DNS server; it doesn't have to be the organization's primary DNS server. Finally, the DHCP server and IAS server (VPN Quarantine Mode only) must be accessible whether a machine is quarantined or not. Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been updated.

Editor's Picks

Free Newsletters, In your Inbox