Virtual Private Network Quarantine

Published: November 4, 2005

By Tony Bailey
Microsoft Senior Product Manager
Security and Compliance Solutions

See other Security Tip of the Month columns

Although a virtual private network (VPN) provides secure access by encrypting data through the VPN tunnel, it does not prevent intrusions by malicious software, such as viruses or worms that initiate from the remote access computer. Virus or worm attacks can result from infected computers that connect to the LAN.

VPN quarantine works by delaying full connectivity to a private network while examining and validating the configuration of the remote access computer against organizational standards. If the computer that connects is not compliant with the organization's policy, the quarantine process can install service packs, security updates, and virus definitions before it allows the computer to connect to other network resources. VPN quarantine does not guarantee a complete security solution, but it helps prevent computers that have unsafe configurations from connecting to a private network. However, VPN quarantine does not protect a private network from malicious users who have obtained a valid set of credentials and who log on using computers that comply with the organization's computer health policy. VPN quarantine also does not protect against an authorized user who connects with a computer that meets the security requirements and then decides to perform a malicious attack.

A VPN quarantine solution can use either Remote Authentication Dial-In User Service (RADIUS) or Windows authentication, but RADIUS is the preferred method. Internet Authentication Service (IAS) is the Microsoft implementation of RADIUS.

VPN quarantine implements a modified process when the user attempts to connect to the remote network. The process includes the following steps:

  1. The computer performs a pre-connection check to ensure that the computer meets certain basic requirements. These might include hotfixes, security updates, and virus signatures. The pre-connection script stores the results of this check locally. An organization could also run post connection security checks.

  2. After the pre-connection checks have succeeded, the computer connects to the remote access server using VPN.

  3. The remote access server authenticates the user credentials with the RADIUS server against the stored user name and password in the Active Directory directory service. RADIUS is an optional component in this process.

  4. If Active Directory authenticates the user, the remote access server uses the VPN quarantine remote access policy to place the client in quarantine. The remote access client computer's access is limited to the quarantine resources specified by the remote access policy. Quarantine can be enforced in two possible ways on the remote access client computer: by using a specific time-out period so the client computer does not stay in quarantine indefinitely or by using an IP filter that restricts IP traffic to the specified network resources network only.

  5. The post-connection script notifies the remote access server that the client complies with the specified requirements. If the connection does not meet the requirements in the specified time-out period, the script notifies the user and drops the connection.

  6. The remote access server removes the client computer from quarantine mode by removing the IP filter and grants appropriate access to network resources specified by the remote access policy.

If the connection fails, the user receives a message that describes the reason for the failure.

For more information about VPN quarantine, see the Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide.