[unisog] NAT'ing Quarantine Networks to Windows Update

Phil Rodrigues phil.rodrigues at nyu.edu
Wed May 26 22:09:46 GMT 2004


Hi all,

Like many of you, NYU is trying to get a full-featured vulnerability 
detection and remediation system in production before students return. 
Some of you lucky &@#$'s even have it working already. :-)

In brief, the plan is to have DHCP and DNS servers very similar to 
NetReg forward clients to our registration system, where a scan will be 
requested.  We are using LVS to cluster a few pieces of hardware into 
one virtual Nessus server, and will either use nessus::scanlite or 
something very similar to request a fast scan from the cluster.  If the 
host passes they get registered, if they fail they get forwarded to a 
remediation website that instructs them how to fix their problem.  This 
should all sound pretty familiar by now.

My goal is to not have the clients install anything extra, but rather to 
leverage the vendors pre-existing update mechanisms where possible: 
Microsoft's Windows Update, Symantec's LiveUpdate, Apple's Software 
Updates, RedHat's up2date, etc.  In order to do this from their private 
registration and/or quarantine networks we hope to enable PBR on a Cisco 
650x to route by source address (of those private networks) to a 
separate NAT network that connects the private IPs to the Internet.  The 
NAT network can be a 7200 or a PIX or a well-tuned Linux box.

Jason Azze of Fairfield U already posted how they used (what BIND calls) 
"selective forwarding" or "split DNS" to forward certain domains to a 
public DNS server, and redirect all other requests to the internal 
registration / quarantine / remediation system.  His post can be found here:

http://www.dshield.org/pipermail/unisog/2004-May/007203.php

I know of at least one other University that also wants to do something 
like this.  Has anyone else implemented this selective forwarding 
successfully with the myriad of domains needed for Windows Update?  How 
has it worked?  Is anyone else trying to NAT their private registration 
/ quarantine / remediation networks out to public update websites? 
Anyone figure out how to secure those NAT'd networks?

And, the big question - anyone else want to help?  We already have a few 
people working on different parts of this from different schools.  Final 
results will vary by school, but a lot of the infrastructure and methods 
should be very similar.  Anyone else in the same position that wants to 
throw their two cents in?  Anyone done with their design and want to 
discuss the merits of their particular implementation?

Thanks for your time, and good luck in all of your summer projects.

Phil

Sr Network Security Analyst
New York University




More information about the unisog mailing list