I believe that the common practice is to allow a small subsets
of known networks required to update operating systems and virus
scanners through to your remediation or isolation VLAN.
I believe that there is also a PF setting that allows certain
violations to be overridden for a short period of time via the
captive portal, so that the client has access to the Internet long
enough to install patches. If they don't, it nags them again and
ultimately shuts them down if they skip it too many times. We don't
use the feature, so I cannot comment on the specifics or how it
works...
-Arthur
-------------------------------------------------------------------------
Arthur Emerson III Email:
[email protected]<mailto:[email protected]>
Network Administrator InterNIC: AE81
Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave. Fax: (845) 562-6762
Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11
On Mar 10, 2014, at 7:03 PM, forbmsyn
<[email protected]<mailto:[email protected]>> wrote:
Hi experts,
Can you please share me with your experience in dealing with the violation?
In my case, when a violation was triggered after the Nessus scanning finished,
the switch port was put into isolation vlan. At the same time there was a
message shown on client's browser like below:
"Quarantine Established! Windows Patches Are Not Up-to-Date. Due to the threat
this poses for other systems on the network, network connectivity has been
disabled until corrective action is taken. ...."
The question is: Because the isolation vlan does not have internet access, how
do the client address the problem, for example, download patch?
If I give the isolation vlan access to internet by connecting the isolation
vlan to other vlan which has internet access, then the above warning message
won't appear on client's system.
How do I let the client know that their system has security issue and need
address, and at the same time they can have access to internet to fix the
problem?
What is your network design in your real scenario?
Thanks a lot in advance.
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
