How does DNS wildcard redirection work? How does DNS wildcard redirection work? DNS wildcard redirection leverages the DHCP scope options available from the DHCP server to force noncompliant systems to use a specific DNS server. DNS wildcard redirection allows all local name resolution requests to succeed for computers on the same DNS domain. All foreign server addresses are translated into the IP address of the remediation portal. The effect is that all requests (including non-http requests) to resources outside of the domain are redirected to the remediation portal web server. However, you should note that this may result in unanticipated side effects. When an HTTP request is made from a client in the quarantine VLAN, the following occurs: The end user opens a web browser and the browser attempts to access the configured home page. If the user s home page is set to the URL http://technet.microsoft.com/security/default.aspx, a DNS lookup is initiated from the client to the DNS server listed in the client s TCP/IP settings (this list of DNS servers is normally configured using DHCP for client s using dynamic addressing) for the host technet from the microsoft.com domain. The DNS server notes that it is an authoritative root server, meaning that it will not ask another DNS server for an answer to a DNS query, and searches its forward lookup zones for a match to this query. The DNS server looks inside the.com zone, and will not see a Microsoft domain, but it will see a DNS wildcard entry that matches the query. [* CNAME <IP address of the portal server>] The DNS wildcard entry returns the IP address of the portal server to the client, and the client sends an HTTP GET request to the following: Connect to <IP address of portal server> on port 80... ok GET /security/default.aspx HTTP/1.1 Host: technet.microsoft.com Due to the redirection, the connection is made to the portal server on port 80 asking for the page at {{CONTEXT_ROOT}}/security/default.aspx with a hostname of technet.microsoft.com. The Tomcat web server on the portal server checks the path to determine if the page exists (on a default standalone installation the {{CONTEXT_ROOT}} is C:\Program Files\Common Files\McAfee\Tomcat\webapps, so the path checked would be C:\Program Files\Common Files\McAfee\Tomcat\webapps\security\default.aspx. Normally, if the page exists it would be returned to the client. However, for this page to be provided, the web server would have to be configured to handle all possible URLs, which is not possible. Since this page will not be found, the web server instead returns a 404 Not Found error page. To implement this remediation strategy, you would redirect all 404 errors to the remediation portal page at /Portal/default.htm. At this point, the client s web request has been redirected to the remediation portal. Once at the portal, the user should be presented with hyperlinks pointing to repositories where remediation software (current DATs, MS Hotfixes, etc.) exists. If the hyperlinks point to servers inside the current domain, then name resolution should work. If the hyperlinks reference hosts that the local domain s DNS zone cannot resolve, then the host portion of the URL must be replaced with an IP address. What are the advantages and drawbacks of using DNS wildcard redirection? Advantages DNS wildcard redirection is easier than Transparent Proxy Interception to implement. Drawbacks Quarantined systems do not have access to the Internet, which would include Windows Update and McAfee.com. 1
How does transparent proxy interception work? A Windows server is required in the quarantine VLAN to act as a web server and DNS server. Update content is required and must be available inside the local domain, preferably on the remediation portal server. All non-local network traffic accessed via a domain name is re-routed, not just HTTP traffic. Changes and customizations are required to the remediation portal included with the McAfee Policy Enforcer software, including: Changing all relative src and href references to absolute paths. Replacing the 404 error page on the remediation portal web server with a descriptive webpage that explains what end users must do to remediate, or replacing the 404 error page with a redirection to the remediation portal. Entering all Universal Resource Indicators, including Universal Naming Conventions and Universal Resource Locators that point into the custom portal with static IP addresses in place of the server name. This makes sure that noncompliant systems can access the pages without getting improperly redirected to the remediation page. Ensuring that any non-local resources can be reached. Ensuring that any and all non-local domain name resolution returns the IP address of the remediation portal web server. This remediation strategy only works for systems that use DHCP to obtain their network configuration information. Systems that configure their DNS information manually cannot be remediated. How does transparent proxy interception work? Transparent proxy interception requires some significant configuration of a Linux operating system, including adding some basic routing functionality, a mechanism to re-write URLs, and a proxy server (Squid). It also requires either a layer-four switch to intercept the HTTP requests, or Policy Based Routing (PBR) on a layer-three Cisco router. The basic concept is to intercept HTTP requests coming from clients in the Quarantine VLAN, forward these requests to the router portion of a Linux server, and use this router to re-write the port number of the request in order to forward it to the Squid Daemon running on the server. Squid then passes the URL to a Redirector process which initiates a filter employing Access Control Lists (ACLs) to determine if the request should be allowed. If allowed, the URL is passed in a normal manner to Squid, which proxies the request to the web server. If the URL is not allowed, the URL itself is rewritten and passed back to Squid which proxies the connection. However, before implementing such a strategy, be aware of the following advantages and disadvantages. When an HTTP request is made from a client in the Quarantine VLAN, the following will occur. A user opens a web browser and the browser attempts to access the configured home page. If the users homepage is set to the URL http://technet.microsoft.com/security/default.aspx, a DNS lookup is initiated from the client to the DNS server listed in the clients TCP/IP settings for the host technet from the domain microsoft.com. The IP address is correctly resolved and a TCP/IP connection to the website is attempted. The client sends a TCP SYN request to port 80 that is intercepted by the network routing device. If the router is a layer-four switch, the 2
How does transparent proxy interception work? request is forwarded to the Squid server (the server rewrites the frame headers with the MAC address of the Squid server and forwards the frames out the port that the server is connected to). If the routing device is a layer-three Cisco router, the request is run through a route map configuration. If the request matches the ACL used to define the redirect traffic, it is forwarded to a next-hop IP address, namely the Squid server. Once the packet has reached the Squid server, a packet filter is run on the request, and because the request is to an IP address that does not match the Squid Server s IP address, the packet is forwarded to the Squid Daemon for processing. This same packet filter may be used to re-write the request from a request for port 80 to a request for port 3128 (default squid port) or any other port you have configured Squid to listen on. The Squid Daemon accepts the incoming packet and sends an acknowledgement back to the client spoofing the web server s IP address. Once the client and Squid server have completed the TCP handshake, the client sends an HTTP GET request for the user s homepage. GET /security/default.aspx HTTP/1.1 Host: technet.microsoft.com The Squid process rebuilds the original URL using the host header http://technet.microsoft.com/security/default.aspx this URL is passed to a Redirector package (such as Jsered or squidguard) which uses an ACL filter (basically a list of domains, URLs and/or regular expressions stored in a config file) to see if this domain is allowed. If it is, the request is forwarded and the Squid server will proxy the connection to the web server. If the filter does not match, the URL is rewritten to match the URL of the Portal server. The Squid server then proxies the connection to the Portal server. What are the advantages and drawback of using transparent proxy interception? Advantages Allows Clients to access specific sites on the Internet (such as NAI.com and WindowsUpdate.Microsoft.Com) under the control of a proxy server while still redirecting hosts to the remediation portal. Allows remediation content to be fetched from the source; no need to pre-stage updates and content in the local LAN. Universal Resource Indicator s in the portal itself will use normal name resolution and, when configured on the proxy, will be accessible in a normal manner. Administrators have the ability to allow or disallow other non-http traffic access to the Internet. Drawbacks Difficult configuration. Requires two server machines, one running Linux to act as the proxy and one running Windows to act as the Portal. May require Linux expertise. Requires moderate Networking abilities. If a Cisco router is used in place of a layer 4 switch, it will increase the CPU usage on the router, sometimes significantly. All websites not specifically allowed through the proxy server will be redirected to the portal. This is not a one-time captive portal in which only the initial web request is redirected to the portal. 3
Setting up a browser redirection Setting up a browser redirection You can set up a browser redirection that sends end users of noncompliant, unmanaged systems to the remediation portal the next time they open a browser after being quarantined. We recommend using one of the following methods of browser redirection: Setting up DNS wildcard redirection. Setting up transparent proxy interception. Setting up DNS wildcard redirection This installation requires knowledge of how to properly set up a DNS domain, and the ability to properly configure a DNS server. 1 Install, patch, and configure a Windows 2003 Server 2 Install and configure DNS on this server. DNS must be configured as follows: a Create a forward lookup zone with a single period as the name of the zone (this implements a root server). b Create a second forward lookup zone as a stub zone, which points to the current DNS servers in the company. In the root zone (.), add the Top Level Domains (TLDs). Right-click on the root zone and click Add Domain and add the list shown in the diagram as separate domains. In each of these domains, a single DNS wildcard entry is required that points to the Portal/DNS server. Host name = * Type = Alias(CNAME) Data = <FQDN of the remediation portal> The fully-qualified domain name (FQDN) of the remediation portal is obtained by browsing into the local domain s (mpe.local) stub zone, and selecting the Name Server (NS) record of the portal server. A single DNS wildcard entry in the root domain is not possible on a Windows 2003 DNS Server, so separate entries must be created for each TLD. The current list of TLDs can be acquired from IANA at http://www.iana.org/gtld/gtld.htm. In addition to the generic TLDs, the two-character country codes may be added, especially if the domain in question spans countries. The current list of country codes can be found at http://www.iana.org/cctld/cctld-whois.htm. Test the DNS configuration by adding this Portal/DNS server s IP address to the DNS server settings (TCP/IP properties of the network connection) of one of your computers, and do NSLookup queries to hosts in your local domain (the IP addresses should correspond to the actual IP addresses of those hosts), and queries to hosts outside of your network, such as www.microsoft.com (this query should return the IP address of your Portal/DNS server. C:\>nslookup jan-dc01 Server: remediation01.xyz1.local Address: 194.12.96.243 Non-authoritative answer: Name: jan-dc01.xyz1.local Address: 194.12.96.2 C:\>nslookup www.microsoft.com Server: remediation01.xyz1.local Address: 194.12.96.243 Name: remediation01.xyz1.local Address: 194.12.96.243 Aliases: www.microsoft.com 4
Setting up a browser redirection 3 Install the MPE remediation portal as a standalone portal server on this DNS server. 4 Edit the WEB.xml file in the C:\Program Files\Common Files\McAfee\TomCat\Conf folder. Browse to the middle of the document before the <servlet mapping> tag. Before the <session-config> tag, add the following: <error-page> <error-code>404</error-code> <location>/portal/default.htm</location> </error-page> 5 Edit the default.htm and rescan.htm file located at C:\Program Files\Common Files\McAfee\Tomcat\webapps\Portal to change all relative <href> and <src> tags to absolute by adding /Portal/ to the front of the tag. For example, change the tag: <link href= styles.css type= text/css rel= stylesheet > to <link href= /Portal/styles.css type= text/css rel= stylesheet > 6 Edit the DHCP Scope Options for the quarantine VLAN. On your DHCP server, find the scope serving the quarantine VLAN clients, and change the DNS server s IP addresses to the IP address of the Portal/DNS server. Remove any WINs server IP addresses. Setting up transparent proxy interception Use the following procedure to set up the transparent proxy interception strategy. 1 Download the Linux distribution of your choice and the following packages: a squidguard (http://www.squidguard.org/) b IPTables (http://www.netfilter.org/) c Squid (http://www.squid-cache.org/) 2 Recompile Linux according to directions found on Squid s homepage a General CONFIG_NET=y CONFIG_NET_FASTROUTE=n CONFIG_SYSCTL=y b Networking CONFIG_NETFILTER=y CONFIG_INET=y CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_TARGET_REDIRECT=y c File System CONFIG_PROC_FS=y 3 Configure the Operating System: /ect/sysctl.conf net.ipv4.ip_forward =1 4 Create the IPTables rules that will forward packets to Squid, and save the rules to /etc/sysconfig/iptables (/sbin/service iptables save) iptables -t nat -A PREROUTING -i <interface> -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -I PREROUTING -i <interface> -p tcp -d <ip address of squid/portal> --dport 80 -j ACCEPT 5 Configure Squid a See http://squid.visolve.com/squid/squid24s1/contents.htm for more information. b Squid.conf 5
Setting up a browser redirection httpd_accel_port 3128 httpd_accel_host virtual httpd_accel_uses_host_header on httpd_accel_with_proxy on redirect_program /usr/local/squid/bin/ 6 Configure squidguard a See http://www.squidguard.org/config/ for information. b Define your domain and/or URL white lists store in filesystem. c Define the ACL inside the conf file: logdir /usr/local/squidguard/log dbhome /usr/local/squidguard/db dest Whitelist { domainlist whitelist/domains urllist whitelist/urls } acl { default { pass whitelist all redirect http://remediation01/portal/default.htm } } 7 Configure the Cisco Switch: router(config)# ip access-list extended httptraffic router(config-ext-nacl)# permit TCP <quar ip subnet> any eq www router(config-ext-nacl)# deny any any router(config-ext-nacl)# exit router(config)# route-map wwwcapture permit 10 router(config-route-map)# match ip address httptraffic router(config-route-map)# set ip default next-hop <ip address of the Squid server> router(config-route-map)# exit router(config)# int VLAN999 {interface of the quar vlan} router(config-if)#ip policy route-map wwwcapture router(config-if)#end 6