[unisog] NAT'ing Quarantine Networks to Windows Update
fs at WPI.EDU
Wed May 26 23:04:45 GMT 2004
On Wed, May 26, 2004 at 06:09:46PM -0400, Phil Rodrigues wrote:
> I know of at least one other University that also wants to do something
> like this. Has anyone else implemented this selective forwarding
> successfully with the myriad of domains needed for Windows Update? How
> has it worked? Is anyone else trying to NAT their private registration
> / quarantine / remediation networks out to public update websites?
> Anyone figure out how to secure those NAT'd networks?
We did a limited version of this last year, with very good results.
Unregistered systems get tricked via DNS to our pre-registration page, which is
a cgi that kicks off a standalone scanner for the biggest vulnerability at the
time. By doing a limited scan, we got away with putting only the relevant
standalone patch installers up for download instead of trying to proxy or allow
full-blown Windows Update. Long term, when we get a full blown WUS server on
campus, we'll most likely just point machines directly at that.
For redhat systems, we had a current server for up2date clients, but since
that project is now dead, and all of the freely availible redhat/fedora updates
are already tagged for it, we've got a yum server that we're almost ready to
We honestly haven't worried too much about trying to truly secure the network
itself too much. This registered/unregistered split wasn't meant to hold
determined hackers. Instead, it's just meant to keep viruses from spreading
onto or off of machines until they've at least had a cursory examination, and
if found lacking, offer an explanation of what to do and why.
Frank Sweetser fs at wpi.edu
WPI Network Engineer
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
More information about the unisog