Support Center > Search Results > SecureKnowledge Details
Configuring EndPoint Quarantine Feature
Solution

EndPoint Quarantine (EPQ) (using IntelĀ® AMT) enables the administrator to place a malicious user's machine under quarantine whenever malicious activity, as defined by the security policy, takes place.

EPQ installs a security policy on the machine that is the source of the malicious activity. This policy restricts both inbound and outbound traffic to and from that machine. As a result, the machine is isolated from the rest of the network and is prevented from causing any further problems.

It is recommended to enable anti-spoofing to maximize security protection. Even with anti-spoofing enabled, however, if EPQ functions simultaneously with the following protections, they may cause hosts to be put into quarantine:

  • All DOS protections, e.g. Teardrop

  • Packet sanity

  • Max ping size

  • IP fragment

  • Network quota

  • Small pmtu


Note: EPQ is supported on SecurePlatform and Linux platforms.

Configuring the EndPoint Quarantine Feature

Proceed as follows:

  • Edit the AMT.conf file.
    • Enable EndPoint Quarantine.

    • Configure Authentication Data.

    • Configure Quarantine Policy Data.

  • Encrypt the Password.

  • Configure the Malicious Activity Script that triggers the EndPoint Quarantine mechanism.

  • Configure Rule and SmartDefense Tracking to utilize the Malicious Activity Script.


Note: After completing the entire configuration process, install policy.

Edit the AMT.conf file

From the CLI, edit the AMT.conf file, located in the $FWDIR/conf folder. This file defines the actions to be performed on a network member that has initiated a malicious action.

Enable EndPoint Quarantine

  1. By default, EndPoint Quarantine is disabled. To enable the feature, in the AMT.conf file, change enable_amt from "false" to "true".
  2. Define the subnets on which the feature is enabled. The feature can be enabled on a single host, a network, or both. Remove the lines that are not relevant.


See the example below:

----- Activate the feature by changing the flag to true and define the subnets the feature is enabled on.

:enable_amt (false)
----- AMT Quarantine can be activated on a host, on a network, or both
:apply_on (
:(host
:ipaddr (192.168.10.1)
)
:(network
:ipaddr_from (192.168.10.1)
:ipaddr_to (192.168.10.100)
)
)
:track (log)


Configure Authentication Data

  1. Define the authentication method. In VPN-1 Pro NGX R65, "no_tls" (clear text) is the default. (You must upgrade in order to use the other options, "tls" and "mutual_tls".)

  2. You must specify a User Name and Password for the EndPoint (AMT) machine.


See the example below:

:authentication (

----- Define the authentication method using on of the following:
no_tls - clear text
tls - only server authentication
mutual_tls - client and server authentication
:method (no_tls)
----- Username and password are required for all methods
:user_name ("admin")
:user_pass ("Myadmin1!")
----- Server Certificate is only required when tls or mutual_tls is the chosen authentication method
:server_certificate (
:server_cert_name ("server certificate name")
:server_cert_path ("server certificate path")
)
----- Client Certificate is only relevant on Linux when mutual_tls is the chosen authentication method
:client_certificate (
:cert_name ("certificate name")
:cert_pass ("certificate pass")
)
)

Notes:

  • Server Certificate is only relevant on Linux, and is required when "tls" or "mutual_tls" is the chosen authentication method.

  • Client Certificate is only relevant on Linux, and is required when "mutual_tls" is the chosen authentication method.


Configure Quarantine Policy Data

  1. Every time that you make a change in the Quarantine Policy, you must change the Policy Version. The Policy Version naming syntax is "HHmmDDMM", i.e., HoursMinutesDayMonth.

  2. It is strongly recommended not to change the default policy name. If for some reason you must change the default policy name, the new policy name must begin with "CP_" and cannot exceed six letters. Numbers and other characters are not permitted.

  3. Define the rules for incoming traffic, i.e., traffic directed to the machine that initiated the malicious activity. The Source IP specification can represent one or more machines.

  4. Define the rules for outgoing traffic, i.e., traffic directed from the machine that initiated the malicious activity. The Destination IP specification can represent one or more machines.


Notes:

  • Each incoming rule must have a corresponding outgoing rule.

  • You can configure up to 29 rules for incoming traffic and up to 29 rules for outgoing traffic.


See the example below:

:quarantine_policy_data (

:policy_name ("CP_Qua")
----- Format for the policy version is HHmmDDMM (hour, minutes, day, month)
:policy_ver ("23121912")
----- Define the rules for traffic directed to the machine initiating the malicious activity
:incoming (
:1 (
:name ("dns")
:service (
:protocol (udp) # tcp / udp
:port (53)
)
:address ("10.16.70.5")
:address_mask ("255.255.255.0")
)
:2 (
:name ("ftp")
:service (
:protocol (udp)
:port (21)
)
:address ("10.16.70.5")
:address_mask ("255.255.255.0")
)
-----Define the rules for traffic flowing from the machine initiating the malicious acitivity
:outgoing (
:1 (
:name ("dns")
:service (
:protocol (udp) # tcp / udp
:port (53)
)
:address ("10.16.70.5")
:address_mask ("255.255.255.0")
)
:2 (
:name ("ftp")
:service (
:protocol (udp)
:port (21)
)
:address ("10.16.70.5")
:address_mask ("255.255.255.0")
)


Encrypt the Password

After the AMT.conf file is configured and saved, run the following command:

epq -o set_password

If this command is run once, it encrypts the password so that it is no longer displayed in clear. Do not run this command if the password is already encrypted.

Note: It is recommended to save and store your password in a safe place; there is no undo option.

Configure the Malicious Activity Script that triggers the EndPoint Quarantine mechanism

After configuring the EndPoint Quarantine mechanism (described previously), you must configure the Malicious Activity Script that triggers the EndPoint Quarantine mechanism.

The sam_alert tool executes FW-1 SAM actions according to information received through Standard input (the log mechanism). This tool is to be used for executing FW-1 SAMv2 actions with the user-defined alerts mechanism.

Note: SAMv2 is used in both the VPN-1 Pro and Interspect products. The "q" argument is only used in Interspect.

Usage

sam_alert [-O] [-S] [-t timeout] [-f target] [-n name] -[c comment] [-o originator] [-l r|a] -a d|r|n|b|q|i [-C] -ip -eth -src -dst -srv -any

The following table describes the arguments for this command.

Argument Description

-O

Prints the input of this tool to Standard output (for pipes).

-S

Matches the SAM server to be contacted. The default value is "localhost".

-t timeout

Sets the time period (in seconds) for which the action will be enforced. The default value is "forever".

-f target

Indicates the firewalls on which to run the operation. The default value is "All".

-n name

Fills in the SAM name field. The default value is "empty".

-c comment

Fills in the SAM comment field. The default value is "empty".

-o originator

Fills in the SAM originator field. The default value is "sam_alert".

-l

Logs to issue for connections matching the specified criteria. Either r/egular or a/lert. The default value is "None".

-a

Indicates the action to apply on connections matching specified criteria. Either d/rop, r/eject, n/otify, b/ypass, q/uarantine, or i/nspect.

-C

Closes all existing connections that match the criteria.

-ip

Uses IP addresses as criteria parameters.

-eth

Uses MAC addresses as criteria parameters.

-src

Matches the source address of connections.

-dst

Matches the destination address of connections.

-srv

Matches specific source, destination, protocol and service.

-any

Matches either the source or destination address of connections.



Configuration

Proceed as follows:

  1. In SmartDashboard, click 'Policy > Global Properties > Log and Alert > Alert Commands'.

  2. In one of the unused "Run UserDefined script" fields, enter the script command. For example:

    sam_alert -v2 -a r -t 60 -ip -src

    Note: Keep in mind the following points:
    • The feature only works in the VPN-1 Pro product if the action (-a) is r (reject) or d (drop).

    • -t 60 can be changed.

    • Use of -ip and -src means that you only want to block an attacker that sends something malicious.


Configure Rule and SmartDefense Tracking to utilize the Malicious Activity Script

You must specify use of your "sam_alert" UserDefined script in the TRACK field of each Rule or SmartDefense Protection that is to utilize the Malicious Activity Script.

The "sam_alert" UserDefined script is run when a malicious action is logged. The script triggers activation of the EndPoint Quarantine mechanism.

Quarantine a Machine Manually

In general, EndPoint Quarantine is run automatically. You can, however, also manually quarantine a machine.

To do so run the following command in the CLI of the VPN-1 Pro machine:

epq -o < status | list | is_amt | enable | disable [-l lastPolicyHandle] > -i AMTdeviceIP [policyFileName]

The following table describes the arguments for this command.

Argument Description

status

Displays the status of the policies and rules.

list

Lists the quarantined end-point computers.

is_amt

Allows the user to check if there is AMT on the machine.

enable

Activates the policy.

disable

Deactivates the policy being enforced.

-l lastPolicyHandle

Indicates the last known policy to be activated.

-i AMTdeviceIP

Indicates the IP address of the end-point computer you want to quarantine.

policyFileName

Indicates the name of the file containing the policy you want to enforce. (default location is $FWDIR/conf/AMT.conf)

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment