Contact me at : firstname.lastname@example.org
ISA 2004 / QSS Quarantine Scenarios
The best way to prove that Quarantine is a great technology is to review basic scenarios that the Information Technology professionals know very well.
In each scenario, you will see how to protect
your company with
Click the diagram to see it in full screen.
Single VPN gateway
The most common scenario is a illustrated above—a company with one site wants to provide a VPN architecture to their employees. They also want to protect their internal network from threats posed by roaming users.
The company installs an
These two QSS components will provide the B to Z quarantine infrastructure (A is provided by ISA 2004, when it connects the remote users to the VPN Quarantine network).
Multi VPN gateways
In this scenario, a company has multiple sites all over the world (here we see a site in New York city and one in Paris). The IT Team has decided to provide two VPN gateways; one per site.
QSS Approval Server is installed on both ISA gateways.
From one single console located in Paris, the IT team can identify the daily threats, modify the security policy and deploy it all over the world in a few seconds.
In a scenario with more than two gateways, the deployment process remains the same. Because a policy is a tiny XML file, deployment takes usually less than 5 seconds.
ISP (shared by X companies)
This is an ISP scenario. An ISP company provides a VPN infrastructure to many different customers (companies A, B, and C). All the roaming users connect through a high availability VPN infrastructure (ISA enterprise for example). The ISA machines runs QSS Approval Server.
Because QSS provides 'multi security policy', each company will be able to define and maintain its own security policy.
Each administrator will be able to maintain this security policy locally, and push it to the ISP.
ISPs will be able to provide a highly secured infrastructure to their customers without having to maintain the security policy. This job can be done by the customer.
Qurarantine on LAN
You may think that this scenario is weird, but take a second to analyze it ! If a roaming user, back from a three month trip connects your internal network (via a switch or a wifi access point), what could happen if his machine is infected? Anything from a nasty bug or two that slips into your network to a full-fledged disaster!
Because quarantine will be only supplied by NAP and Longhorn in 2007, are there any other options to prevent this kind of attack now?
The answer is YES!
You could 'adapt' the idea of VPN-Q by creating a VPN-Q-On-LAN solution.
Your ISA VPN internet gateway is connected and
provides VPN-Q to roaming users. You can then install another
This way, because the user uses a VPN
connection, you can use the power of Quarantine supplied by
Let's talk about costs.
If you searched the internet about Quarantine you have probably discovered that a lot of vendors have decided to invest money on this kind of technologies. It proves that the threat is real, but that the product are not ready yet or 100% mature.
Also, if you check their "vision" of the infrastructure, you know it will cost a lot of money! This is mostly a business approach rather than an R & D one.
In reality, implementing today quarantine for VPN users is not expensive at all!
As you can see, you can protect your company with a very small budget–pretty rare when we talk about security solutions nowadays!
Don't wait ! Implement quarantine!
Esnouf.net is in no way affiliated with Microsoft Corp.
Copyright © 2004 Frédéric ESNOUF All rights reserved.