Re: what sites do you make available from quarantine network for remediation

[Cal Frye <cjf () CALFRYE COM>]

Jeff Kell wrote:
> We do it via a captive portal - the DNS server resolves selected
> zones/names, and points everything else to the captive portal IP.
>
> It's not IP-based (if that is what you were looking for).

And that's a great virtue. Windows Update is Akamaized, so keeping a
list of valid IP addresses for the most basic Windows patches is a
never-ending chore. Better to permit wildcard domains such as
*.microsoft.com or the like, if you can.

Our implementation of Cisco Clean Access is rather old, and basically I
permit quarantined machines access to much of the Internet, blocking
specific ports like 25, and most things UDP to be kind. We also block
access to most addresses on campus, so providing an incentive to get the
machine cleaned up and back online.

Don't let the perfect become the enemy of the good in this case (from
Voltaire).

--
Celebrating the 150th anniversary of the publication of the Origin of
Species.
-- Cal Frye, Network Administrator, Oberlin College
   Mudd Library, x.56930 -- CIT will NEVER ask you for your password!

   www.calfrye.com,  www.pitalabs.com

"Art is the only way to run away without leaving home. --Twyla Tharpe.