The marketing term for what we are talking about is "Self Remediation".
Self Remediation (SR) is nice but it can become a bit of a bear to manage if not done correctly. In theory the best method for SR is with PF deployed in an in-line configuration sice you can have such fine grained control over what a user has access to using iptables. However, in-line mode is not very scalable and is not recommended for medium or large scale deployments. In vlan enforcement mode SR is achievable by a few methods, depending on your network and the access you are allowing. I use the simplest method of SR that is basically putting in the necessary DNS information to allow users to correctly resolve the domain of the site I want to allow access to. The nuts-and-bolts of the networking side of this approach and the security implications can be discussed in another email if you want. Lets say that I want my users to be able to scan their computer with malwarebytes while in the violation vlan. I can host the malwarebytes binary on my server and allow them access or I can put the DNS info for malwarebytes.com in my isolation DNS config and put a link to malwarebytes on the violation page that the user is shown. Since in vlan mode PF uses DNS to deny network access by redirecting all DNS queries with wildcard DNS entries. You can allow specific queries to return the real results, thus allowing the user to access that resource whilst still in the violation vlan. Naturally you would want to be very selective in what you allow you users access to, but it does let your users do some of the leg work of removing the "undesirable software" from their system. SR relies on two things that can be its Achilles heel: 1) It relies on your users wanting to help themselves, and 2) it relies on the users being computer savy enough to run the tools and follow the instructions they spit out. The new versions of PF may have a better way to handle SR than editing the config files directly but I do not know. We did it though the config files and it worked fine. Our users just didn't want to or couldn't do the necessary work to clear their machine of malware. I hope that helps, and I hope I have understood your question correctly : ) Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Arthur Emerson III [[email protected]] Sent: Tuesday, March 11, 2014 1:28 PM To: [email protected] Subject: Re: [PacketFence-users] How to deal with violation I believe that the common practice is to allow a small subsets of known networks required to update operating systems and virus scanners through to your remediation or isolation VLAN. I believe that there is also a PF setting that allows certain violations to be overridden for a short period of time via the captive portal, so that the client has access to the Internet long enough to install patches. If they don't, it nags them again and ultimately shuts them down if they skip it too many times. We don't use the feature, so I cannot comment on the specifics or how it works... -Arthur ------------------------------------------------------------------------- Arthur Emerson III Email: [email protected]<mailto:[email protected]> Network Administrator InterNIC: AE81 Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 330 Powell Ave. Fax: (845) 562-6762 Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11 On Mar 10, 2014, at 7:03 PM, forbmsyn <[email protected]<mailto:[email protected]>> wrote: Hi experts, Can you please share me with your experience in dealing with the violation? In my case, when a violation was triggered after the Nessus scanning finished, the switch port was put into isolation vlan. At the same time there was a message shown on client's browser like below: "Quarantine Established! Windows Patches Are Not Up-to-Date. Due to the threat this poses for other systems on the network, network connectivity has been disabled until corrective action is taken. ...." The question is: Because the isolation vlan does not have internet access, how do the client address the problem, for example, download patch? If I give the isolation vlan access to internet by connecting the isolation vlan to other vlan which has internet access, then the above warning message won't appear on client's system. How do I let the client know that their system has security issue and need address, and at the same time they can have access to internet to fix the problem? What is your network design in your real scenario? Thanks a lot in advance. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
