[unisog] NAT'ing Quarantine Networks to Windows Update
phil.rodrigues at nyu.edu
Wed May 26 22:09:46 GMT 2004
Like many of you, NYU is trying to get a full-featured vulnerability
detection and remediation system in production before students return.
Some of you lucky &@#$'s even have it working already. :-)
In brief, the plan is to have DHCP and DNS servers very similar to
NetReg forward clients to our registration system, where a scan will be
requested. We are using LVS to cluster a few pieces of hardware into
one virtual Nessus server, and will either use nessus::scanlite or
something very similar to request a fast scan from the cluster. If the
host passes they get registered, if they fail they get forwarded to a
remediation website that instructs them how to fix their problem. This
should all sound pretty familiar by now.
My goal is to not have the clients install anything extra, but rather to
leverage the vendors pre-existing update mechanisms where possible:
Microsoft's Windows Update, Symantec's LiveUpdate, Apple's Software
Updates, RedHat's up2date, etc. In order to do this from their private
registration and/or quarantine networks we hope to enable PBR on a Cisco
650x to route by source address (of those private networks) to a
separate NAT network that connects the private IPs to the Internet. The
NAT network can be a 7200 or a PIX or a well-tuned Linux box.
Jason Azze of Fairfield U already posted how they used (what BIND calls)
"selective forwarding" or "split DNS" to forward certain domains to a
public DNS server, and redirect all other requests to the internal
registration / quarantine / remediation system. His post can be found here:
I know of at least one other University that also wants to do something
like this. Has anyone else implemented this selective forwarding
successfully with the myriad of domains needed for Windows Update? How
has it worked? Is anyone else trying to NAT their private registration
/ quarantine / remediation networks out to public update websites?
Anyone figure out how to secure those NAT'd networks?
And, the big question - anyone else want to help? We already have a few
people working on different parts of this from different schools. Final
results will vary by school, but a lot of the infrastructure and methods
should be very similar. Anyone else in the same position that wants to
throw their two cents in? Anyone done with their design and want to
discuss the merits of their particular implementation?
Thanks for your time, and good luck in all of your summer projects.
Sr Network Security Analyst
New York University
More information about the unisog