[unisog] NAT'ing Quarantine Networks to Windows Update

Frank Sweetser fs at WPI.EDU
Wed May 26 23:04:45 GMT 2004

On Wed, May 26, 2004 at 06:09:46PM -0400, Phil Rodrigues wrote:
> I know of at least one other University that also wants to do something 
> like this.  Has anyone else implemented this selective forwarding 
> successfully with the myriad of domains needed for Windows Update?  How 
> has it worked?  Is anyone else trying to NAT their private registration 
> / quarantine / remediation networks out to public update websites? 
> Anyone figure out how to secure those NAT'd networks?

We did a limited version of this last year, with very good results.
Unregistered systems get tricked via DNS to our pre-registration page, which is
a cgi that kicks off a standalone scanner for the biggest vulnerability at the
time.  By doing a limited scan, we got away with putting only the relevant
standalone patch installers up for download instead of trying to proxy or allow
full-blown Windows Update.  Long term, when we get a full blown WUS server on
campus, we'll most likely just point machines directly at that.

For redhat systems, we had a current server for up2date clients, but since
that project is now dead, and all of the freely availible redhat/fedora updates
are already tagged for it, we've got a yum server that we're almost ready to
start advertising.

We honestly haven't worried too much about trying to truly secure the network
itself too much.  This registered/unregistered split wasn't meant to hold
determined hackers.  Instead, it's just meant to keep viruses from spreading
onto or off of machines until they've at least had a cursory examination, and
if found lacking, offer an explanation of what to do and why.

Frank Sweetser fs at wpi.edu
WPI Network Engineer
GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC

More information about the unisog mailing list