You Have To Be This Big To Enter This Ride (or: on VPN Quarantine I)
The usage of VPNs (Virtual Private Networks) throughout the years has increased dramatically. There are, of course, various reasons for this. Leased lines are expensive and often impractical. The costsavings of VPNs and the reliable, secure solutions available for this technology have proved themselves to be a valid reason for many companies to implement them.
Not being an exception to modern technology, Microsoft's ISA Server has provided VPN functionality for quite some time now. Being the busy little bees that they are, the good people at Microsoft also decided to add a few nice extra features when it comes to VPN solutions. In this article, I want to take a look at one of my favourite features, called 'VPN Quarantine'.
What is VPN Quarantine ?
Under normal circumstances, a VPN client connecting to a VPN server has its credentials checked and is then granted access (or denied, if the credentials are not accepted). Even though this provides a basic level of security (correct credentials are required to make the connection), there are other considerations when it comes to allowing clients onto your network.
Let us say, for example, that your company has decided to allow users to use their home computers as VPN clients to connect to the corporate network. Despite your protests regarding (often) poorly secured homecomputers, management has told you gently but firmly to have intercourse with yourself and implement the solution. Being a concerned administrator, you'd wish to have at least some level of control over the type of machines that connect to your network. Thankfully, ISA Server's VPN Quarantine allows you to do exactly this.
When a VPN client connects to a ISA VPN Server, the client is first authorized, i.e. do the credentials match ? When this is the case, the VPN client is moved into the Quarantined VPN Clients network. As a next step, a clientside script is run that checks the security configuration on the client, checking the client's configuration with, say, a VB script. (I'm sure you'll see how this allows enormous flexibility and shows why you should be able to write VB scripts!) If the scripts returns a valid response (1), the client is then moved to the VPN Clients network from where it can do its happy little chore.
So.. why is this interesting at all.. ?
Well, for starters, you can set different access policies for the Quarantined VPN network and the VPN Clients network. This, for example, would allow you to only allow certain protocols in the VPN Quarantine network (so you could push updates down the clients' throat) and allow different protocols for the VPN Clients network.
Another benefit would be the amount of flexibility available in this configuration; using a mechanism that lets the ISA VPN Server know whether or not the tests have been passed, access is granted. As the scripts used for compliancy checks are basically yours to write (if you wish so), extensive checking can be done, upping the measure of security greatly.
Great. Let's use it!
VPN Quarantine is enabled by the use of CMAK (Connection Manager Administration Kit) and consists of various interesting parts. We'll have a look at how to use this and the more precise working of this process soon (which will presume you have some knowledge of VB scripts; if not, read up on that first!)
P.S.: The quarantine control described here is not ISA-only. The functionality in itself is part of the Windows 2003 operating system; however, ISA Server 2004 extends this functionality greatly.