Remote Access Quarantine (TechNet Magazine article)


http://www.microsoft.com/technet/technetmag/issues/2006/03/SecurityWatch/default.aspx


In those good old  easy-to-manage pre-mobility days, personal computers presented few actual threats to a network. Sure, there was the occasional virus you’d get from a borrowed floppy disk, but the rate, or at least the speed, of infection was pretty low—limited substantially by the low bandwidth and high latency of "sneakernet" technology. In those days, computers were bulky behemoths that squatted on desks and never moved. They were secure because the network was secure, if there was one at all.


Alas, those halcyon days are behind us now, relegated to the dustbin of history. And indeed they should be. Mobile computers are wonderful! We can work, well, just about anywhere, slay monsters anywhere, play solitaire anywhere. The true advance, of course, was the combination of mobility and a network connection. Got 10 minutes? Haul out the laptop and check that e-mail. Who needs an office anymore?


Of course, Murphy never gets to rest. It seems that with every technological advance (that’s a euphemism for "another way your employer squeezes more work out of you"), there’s a dark side. Connected mobility’s dark side is the ease with which unscrupulous people can wreak havoc across an entire network.


Armed with a portable computer that’s routinely connected to multiple public networks, out-of-date machines operated by people with an "I don’t really care" attitude are the most dangerous thing I can envision. And when "I don’t really care" then wants to connect back to his corporate network, need I really describe the resulting carnage? Indeed, this exact scenario is arguably one of the fastest-growing infection vectors imaginable.

Comments (9)
  1. Anonymous says:

    Those of you who are taking advantage of the Remote Access Quarantine feature of Windows Server…

  2. Anonymous says:

    Thanks to Tony Soper for his recent post on Internet Security and Acceleration’s quarantine tool

    Windows…

  3. Alun Jones says:

    … and, of course, studying up on RAQ will allow you to be well-versed in the concepts used in NAP – Network Access Protection – coming in Longhorn.  That’s where you’ll find a really strong protection against the returning road-warrior.

  4. Dan Halford says:

    Of course, using a remote access solution like Citrix’s Access Gateway can minimise the risk now.

    Is your machine running corporate standard AV? Is your firewall running? No? … then you, Mr 0wn3d User, get to access your email via a proxied web-mail client, and a couple of published applications. And that’s it.

    Is your machine fully-patched and secured? Yes? Excellent – have full access to the corporate network.

  5. steriley says:

    Actually, Alun, the plan of record now is that there’s no automatic migration from RAQ to NAP. There might be a quick-and-dirty RAQ script translator, but nothing’s firm yet. From what I understand, there wasn’t much customer interest in a full migration plan.

  6. Alun Jones says:

    I hadn’t thought in terms of a migration path, to be honest – I was thinking more that learning about the concepts of RAQ would allow an administrator to more clearly understand NAP when it comes along.

  7. John Biasi says:

    The Remote Access Quarantine sounds like a great solution, but what about those of us who don’t use RRAS as the VPN endpoint?  I’m dealing with a Cisco VPN Concentrator, and I’d love to be able to apply this technology to that device.

    Cisco has a solution called Network Admission Control, but I get the impression that it deals more with users on the LAN rather than remote access.

  8. steriley says:

    John, RAQ is a Windows Server feature, and thus requires Windows Server RRAS.

    I’m not all that familiar with Cisco’s NAC, so I don’t know whether it would work with your VPN concentrator.

  9. Scott Melnick says:

    Actually, with the cisco concentrator, if you use the SSL vpn you will get the secure remote desktop. Which of course you can verify anything about the clients machine before they are allowed to get a full connection.

Comments are closed.

Skip to main content