[unisog] NAT'ing Quarantine Networks to Windows Update

Daniel Bidwell bidwell at andrews.edu
Thu May 27 01:41:16 GMT 2004

On Wed, 2004-05-26 at 18:09, Phil Rodrigues wrote:
> Hi all,
> Like many of you, NYU is trying to get a full-featured vulnerability 
> detection and remediation system in production before students return. 
> Some of you lucky &@#$'s even have it working already. :-)
> In brief, the plan is to have DHCP and DNS servers very similar to 
> NetReg forward clients to our registration system, where a scan will be 
> requested.  We are using LVS to cluster a few pieces of hardware into 
> one virtual Nessus server, and will either use nessus::scanlite or 
> something very similar to request a fast scan from the cluster.  If the 
> host passes they get registered, if they fail they get forwarded to a 
> remediation website that instructs them how to fix their problem.  This 
> should all sound pretty familiar by now.
> My goal is to not have the clients install anything extra, but rather to 
> leverage the vendors pre-existing update mechanisms where possible: 
> Microsoft's Windows Update, Symantec's LiveUpdate, Apple's Software 
> Updates, RedHat's up2date, etc.  In order to do this from their private 
> registration and/or quarantine networks we hope to enable PBR on a Cisco 
> 650x to route by source address (of those private networks) to a 
> separate NAT network that connects the private IPs to the Internet.  The 
> NAT network can be a 7200 or a PIX or a well-tuned Linux box.
> Jason Azze of Fairfield U already posted how they used (what BIND calls) 
> "selective forwarding" or "split DNS" to forward certain domains to a 
> public DNS server, and redirect all other requests to the internal 
> registration / quarantine / remediation system.  His post can be found here:
> http://www.dshield.org/pipermail/unisog/2004-May/007203.php
> I know of at least one other University that also wants to do something 
> like this.  Has anyone else implemented this selective forwarding 
> successfully with the myriad of domains needed for Windows Update?  How 
> has it worked?  Is anyone else trying to NAT their private registration 
> / quarantine / remediation networks out to public update websites? 
> Anyone figure out how to secure those NAT'd networks?
> And, the big question - anyone else want to help?  We already have a few 
> people working on different parts of this from different schools.  Final 
> results will vary by school, but a lot of the infrastructure and methods 
> should be very similar.  Anyone else in the same position that wants to 
> throw their two cents in?  Anyone done with their design and want to 
> discuss the merits of their particular implementation?
> Thanks for your time, and good luck in all of your summer projects.

At Andrews University we have adapted NetReg to run selected nessus
plugins (we select which pluggins are important now).  We have kept the
NetReg dns scheme, but have put "pound" in front of the apache web
server to "proxy" web requests for certain domains, like microsoft.com
so that windows update works via our "pound proxy".  We can use the
nessus plugins for the most recent external vulnerabilities to windows
that aren't patched and redirect them to windowsupdate.microsoft.com for
the full patchs.  We no longer have to try to maintain the most recent
set of patches in all language editions.

Other candidates for our "pound proxy" include lavasoft.com for AdAware,
Stinger.exe from Network Associates, and SpyBot.

Our first implimentation of NetReg was for our ResNet and Wireless Zone
networks.  We placed both networks into blocks of 8 class C's each with
the gateway at the bottom and the registration zone at the top.  We are
not reordering them to place the registration zone in the bottom class C
and a subnet mask that doesn't include the machines that have already
been registered.  This may slow down the viruses from attaching the
registered machines since they will appear to be on other networks.

We are now in the process of rearranging the campus network to place
nearly the entire campus behind a NetReg like system which will identify
who is responsible for each machine and make sure that they are up to
date on their patches.
> Phil
> Sr Network Security Analyst
> New York University
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
Daniel R. Bidwell	|	bidwell at andrews.edu
Andrews University	|	Information Technology Services
If two always agree, one of them is unnecessary
"Friends don't let friends do DOS"
"In theory, theory and practice are the same.
In practice, however, they are not."

More information about the unisog mailing list