Hi Andi,
On the Remediation tab, I put "Grace" to 10 minutes, and "Window" to 2
minutes. When a device occured a violation after being scanned by Nessus,
It was put into isolation vlan. After 2 minutes it was changed to its
destination vlan, which is employee_vlan, in my case, to get the chance to
fixed the problem. I was expecting it will be switched back to Isolation
vlan after 10 minutes, so that the device can be scanned again, but it
didn't happen.
Is there anything else I need to check?
Regards,
Jacky
On Wed, Mar 12, 2014 at 5:04 AM, Morris, Andi <[email protected]>wrote:
> We plan to attack this in a similar way, although this is just theory at
> the moment.
>
> Nodes detected by snort/suricata/SoH to have certain signatures get put in
> the isolation network, and the user is instructed why they have been put
> there by the information on the relevant captive portal webpage.
>
> On that captive portal webpage we will allow users to re-enable their
> network, allowing them back onto the production network in order to
> remediate the problem. Each type of violation will have a certain grace
> period, depending on the severity.
>
> EG. SoH picks up that the device's antivirus software is out of date. PF
> traps this and puts the device in the isolation network, not allowing the
> user to go anywhere on the internet. The page they are presented with tells
> them that their antivirus software is out of date, and gives them some
> advice about how to update, and where free antivirus software can be
> downloaded from. Also there would be helpdesk contact information should
> they require support with this.
> On the same page there is a "Enable Network" button, which allows them
> back onto the network for 1 day, giving them time to update their AV
> software. However, should they not update the software within that day,
> they'll get put back in the isolation network the next day..and the cycle
> will continue until they either remediate the problem, or they run out of
> times that they are allowed to let themselves back onto the network, in
> this instance it's 3 times. At this time they have to contact the helpdesk
> to be allowed back onto the network, who will give them a slap on the
> wrist, update the AV software and the device is then allowed back onto the
> network.
>
> Another string to this bow is allowing access to certain websites when
> trapped in the isolation network. From our point of view we would likely
> allow access to certain areas on our website, which provide guides in
> updating antivirus software etc, as well as allowing access to the most
> popular AV vendors webpages, Windows Updates, etc. This is all done through
> the proxy passthrough element in PF.
>
> Cheers,
> Andi
>
> -----Original Message-----
> From: Sallee, Jake [mailto:[email protected]]
> Sent: 11 March 2014 19:44
> To: [email protected]
> Subject: Re: [PacketFence-users] How to deal with violation
>
> The marketing term for what we are talking about is "Self Remediation".
>
> Self Remediation (SR) is nice but it can become a bit of a bear to manage
> if not done correctly.
>
> In theory the best method for SR is with PF deployed in an in-line
> configuration sice you can have such fine grained control over what a user
> has access to using iptables.
>
> However, in-line mode is not very scalable and is not recommended for
> medium or large scale deployments.
>
> In vlan enforcement mode SR is achievable by a few methods, depending on
> your network and the access you are allowing.
>
> I use the simplest method of SR that is basically putting in the necessary
> DNS information to allow users to correctly resolve the domain of the site
> I want to allow access to. The nuts-and-bolts of the networking side of
> this approach and the security implications can be discussed in another
> email if you want.
>
> Lets say that I want my users to be able to scan their computer with
> malwarebytes while in the violation vlan. I can host the malwarebytes
> binary on my server and allow them access or I can put the DNS info for
> malwarebytes.com in my isolation DNS config and put a link to
> malwarebytes on the violation page that the user is shown.
>
> Since in vlan mode PF uses DNS to deny network access by redirecting all
> DNS queries with wildcard DNS entries. You can allow specific queries to
> return the real results, thus allowing the user to access that resource
> whilst still in the violation vlan.
>
> Naturally you would want to be very selective in what you allow you users
> access to, but it does let your users do some of the leg work of removing
> the "undesirable software" from their system.
>
> SR relies on two things that can be its Achilles heel: 1) It relies on
> your users wanting to help themselves, and 2) it relies on the users being
> computer savy enough to run the tools and follow the instructions they spit
> out.
>
> The new versions of PF may have a better way to handle SR than editing the
> config files directly but I do not know. We did it though the config files
> and it worked fine. Our users just didn't want to or couldn't do the
> necessary work to clear their machine of malware.
>
> I hope that helps, and I hope I have understood your question correctly : )
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
> ________________________________
> From: Arthur Emerson III [[email protected]]
> Sent: Tuesday, March 11, 2014 1:28 PM
> To: [email protected]
> Subject: Re: [PacketFence-users] How to deal with violation
>
> I believe that the common practice is to allow a small subsets of known
> networks required to update operating systems and virus scanners through to
> your remediation or isolation VLAN.
>
> I believe that there is also a PF setting that allows certain violations
> to be overridden for a short period of time via the captive portal, so that
> the client has access to the Internet long enough to install patches. If
> they don't, it nags them again and ultimately shuts them down if they skip
> it too many times. We don't use the feature, so I cannot comment on the
> specifics or how it works...
>
> -Arthur
>
> -------------------------------------------------------------------------
> Arthur Emerson III Email: [email protected]<mailto:
> [email protected]>
> Network Administrator InterNIC: AE81
> Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109
> 330 Powell Ave. Fax: (845) 562-6762
> Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11
>
> On Mar 10, 2014, at 7:03 PM, forbmsyn <[email protected]<mailto:
> [email protected]>> wrote:
>
> Hi experts,
>
> Can you please share me with your experience in dealing with the violation?
>
> In my case, when a violation was triggered after the Nessus scanning
> finished, the switch port was put into isolation vlan. At the same time
> there was a message shown on client's browser like below:
>
> "Quarantine Established! Windows Patches Are Not Up-to-Date. Due to the
> threat this poses for other systems on the network, network connectivity
> has been disabled until corrective action is taken. ...."
>
> The question is: Because the isolation vlan does not have internet access,
> how do the client address the problem, for example, download patch?
>
> If I give the isolation vlan access to internet by connecting the
> isolation vlan to other vlan which has internet access, then the above
> warning message won't appear on client's system.
>
> How do I let the client know that their system has security issue and need
> address, and at the same time they can have access to internet to fix the
> problem?
>
> What is your network design in your real scenario?
>
> Thanks a lot in advance.
>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is
> the definitive new guide to graph databases and their applications. Written
> by three acclaimed leaders in the field, this first edition is now
> available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
