Remote Access Quarantine (TechNet Magazine article)
https://www.microsoft.com/technet/technetmag/issues/2006/03/SecurityWatch/default.aspx
In those good old easy-to-manage pre-mobility days, personal computers presented few actual threats to a network. Sure, there was the occasional virus you’d get from a borrowed floppy disk, but the rate, or at least the speed, of infection was pretty low—limited substantially by the low bandwidth and high latency of "sneakernet" technology. In those days, computers were bulky behemoths that squatted on desks and never moved. They were secure because the network was secure, if there was one at all.
Alas, those halcyon days are behind us now, relegated to the dustbin of history. And indeed they should be. Mobile computers are wonderful! We can work, well, just about anywhere, slay monsters anywhere, play solitaire anywhere. The true advance, of course, was the combination of mobility and a network connection. Got 10 minutes? Haul out the laptop and check that e-mail. Who needs an office anymore?
Of course, Murphy never gets to rest. It seems that with every technological advance (that’s a euphemism for "another way your employer squeezes more work out of you"), there’s a dark side. Connected mobility’s dark side is the ease with which unscrupulous people can wreak havoc across an entire network.
Armed with a portable computer that’s routinely connected to multiple public networks, out-of-date machines operated by people with an "I don’t really care" attitude are the most dangerous thing I can envision. And when "I don’t really care" then wants to connect back to his corporate network, need I really describe the resulting carnage? Indeed, this exact scenario is arguably one of the fastest-growing infection vectors imaginable.
Comments
- Anonymous
January 01, 2003
Those of you who are taking advantage of the Remote Access Quarantine feature of Windows Server... - Anonymous
January 01, 2003
Thanks to Tony Soper for his recent post on Internet Security and Acceleration's quarantine tool
Windows... - Anonymous
February 28, 2006
... and, of course, studying up on RAQ will allow you to be well-versed in the concepts used in NAP - Network Access Protection - coming in Longhorn. That's where you'll find a really strong protection against the returning road-warrior. - Anonymous
February 28, 2006
Of course, using a remote access solution like Citrix's Access Gateway can minimise the risk now.
Is your machine running corporate standard AV? Is your firewall running? No? ... then you, Mr 0wn3d User, get to access your email via a proxied web-mail client, and a couple of published applications. And that's it.
Is your machine fully-patched and secured? Yes? Excellent - have full access to the corporate network. - Anonymous
March 02, 2006
Actually, Alun, the plan of record now is that there's no automatic migration from RAQ to NAP. There might be a quick-and-dirty RAQ script translator, but nothing's firm yet. From what I understand, there wasn't much customer interest in a full migration plan. - Anonymous
March 06, 2006
I hadn't thought in terms of a migration path, to be honest - I was thinking more that learning about the concepts of RAQ would allow an administrator to more clearly understand NAP when it comes along. - Anonymous
March 08, 2006
The Remote Access Quarantine sounds like a great solution, but what about those of us who don't use RRAS as the VPN endpoint? I'm dealing with a Cisco VPN Concentrator, and I'd love to be able to apply this technology to that device.
Cisco has a solution called Network Admission Control, but I get the impression that it deals more with users on the LAN rather than remote access. - Anonymous
March 09, 2006
John, RAQ is a Windows Server feature, and thus requires Windows Server RRAS.
I'm not all that familiar with Cisco's NAC, so I don't know whether it would work with your VPN concentrator. - Anonymous
March 23, 2006
Actually, with the cisco concentrator, if you use the SSL vpn you will get the secure remote desktop. Which of course you can verify anything about the clients machine before they are allowed to get a full connection.