[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Solved? - Web Redirect with an "exception" to go to windowsupdate.com??

To: "Lang, Michael" <mike.lang@uconn.edu>
Subject: RE: Solved? - Web Redirect with an "exception" to go to windowsupdate.com??
From: Clarke Morledge <chmorl@wm.edu>
Date: Fri, 12 Dec 2003 22:46:40 -0500 (EST)
Cc: packeteer-edu@lists.Stanford.EDU
Sender: owner-packeteer-edu@lists.Stanford.EDU
Michael,

I've tested your configuration here (we use Symantec as well).  Both
Symantec LiveUpdates and Windows Updates appear to be working just fine.

Initially I had some problems because my earlier configuration did not
have the *.akamai.net matching rule.  What happened is that Windows Update
worked until I actually requested a download of updates.   The
PacketShaper was not allowing the actual downloads to work -- I assume
that is where akamai comes into play.

Even after I made the rule changes, I still had problems.  But after an
hour or so, the problem cleared up and things worked as I hoped.
Probably, some of my old classes needed to timeout on the PacketShaper.

The only oddity that I have found is that on Windows 2000, under the
Windows Update browser window, below the "Pick updates to install" option,
if I click on "Windows 2000", I get an "Action canceled" frame back in the
browser window -- instead of a list of downloadable updates.  If I take
the IP address of the system out of the security hostlist, this process
works normally.  Fortunately, Windows XP does NOT have this problem.  

I am not particularly worried about this issue with Windows 2000, since I
am primarily concerned about users grabbing the "Critical Updates and
Services Packs", not the optional software updates for the particular OS.  
However, it might cause some confusion to some of our users.

If someone could verify this, it would be helpful.  The problem is easily
reproducible for me.

We've also used an expect script (generated simply by using autoexpect) to
control the contents of the hostlist on the PacketShaper via SSH (add and
remove IPs). We then built a mySQL database to store IP addresses
associated with reasons for blocking student/staff/faculty IPs; e.g. Nachi
worm, Blank Admin Passwords, and RIAA notices.  

We are testing this currently, but we are looking at allowing students
from our redirect page to access a web front end to the mySQL database to
remove themselves from the security hostlist, after they enter their
username/password --- after agreeing to take action to fix their problem.  
The page we present to folks after they've been removed from the security
hostlist is this:

https://cf.wm.edu/security/index.cfm

This is the same page we use for the redirects, but we determine the
content of the page by examining the IP address of the client.  For
example, in the Blank Admin Passwords case, we tell the clients that they
have blank admin passwords with instructions on how to change them to
something secure.

RIAA notices are quite handy for this.  It requires that the student enter
her user credentials giving us some extra accountability.  Plus it frees
us from always having to manually take folks out of the security list.

There have been some cases where this has been abused, but we've generally
found students to be quite cooperative once they know that problems have
been identified with their computers.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
chmorl@wm.edu

------------------------------------------------------------------------------
Date: Thu, 11 Dec 2003 15:19:10 -0500
From: "Lang, Michael" <mike.lang@uconn.edu>
To: packeteer-edu@lists.stanford.edu
Cc: chmorl@wm.edu
Subject: Solved? - Web Redirect with an "exception" to go to windowsupdate.com??

Hi all,

I think I have a working solution for those of us trying to make a web redirect with an exception to let through windows update.  I'm now looking for anyone to help test/try it.  I have this working now for two weeks with no complaints...  so far.

 -- Directions --

For Inbound side:
 1 - Create a class named 'Security' with protocol 'IP' and bind a host list named 'security' on the inside.

 2 - Create a Security child class (click on security then add class) named 'SSL' and select the 'SSL' protocol.  Add an exception policy to this.

 3 - Create a Security child class named 'pass-through'.  My class has 5 matching rules to allow windows update and symantec (we use their antivirus).  The matching rules are for the 'http (web)' protocol, 'Outside Location' and have a criterion 'Host DNS Name or IP Address' with the following hosts:

*.microsoft.com
*.akamai.net
*.windowsupdate.com
*.symantec.com
*.symantecliveupdate.com

This should make one class with 5 matching rules.

 4 - Create a Security child class named 'HTTP-redirect' with protocol 'http (web)' for location any.  Add a never admit policy and ask web traffic to 'web-redirect' to a URL on the inside of the PacketShaper that is a web page that you create explaining that hosts have been blocked from the Internet.

 5 - Add a discard policy to the 'Default' child class of 'Security'

For Outbound side:

 1 - Copy the Security class with children from the Inbound to the outbound.
 2 - Remove the 'never-admit' policy from the 'HTTP-redirect' child class.

Usage:

Our PacketShaper sits between UConn LANS and the Internet.  We use the process above to block hosts with security problems from the Internet, and redirect their web traffic to a page that tells them that they have a security issue and how to get in touch with the help desk.  When we detect a security problem with an IP, we add that IP to the security host list (hl add security <ip> [from telnet]).  The next time they browse the web they are automatically sent to this page:

http://turkey.uits.uconn.edu/stop/

They have the following limitations while their IP is in the host list:
 1 - all http requests are redirected to the page above.
 2 - any requests to microsoft sites, windows update or symantec (including liveupdate) still work.
 3 - all ssl traffic to the Internet is allowed. (Could be a potential security problem but the only way I can currently make it work.)
 4 - all other IP traffic to/from the host/internet is discarded to the shaper bit bucket!

Tech note:
  The SSL child class with exception is required to be there to make windowsupdate work.  Part of the way windowsupdate works is through ssl and it's server location is dynamic.  Let all ssl through.

I'm attaching an image of what my similar packetshaper config looks like.

Please share your success / issues!  Have fun!

- Mike


-++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**
This message was posted through the Stanford mailing list server. To
subscribe/unsubscribe, send email to majordomo@lists.stanford.edu
with "subscribe packeteer-edu" or "unsubscribe packeteer-edu" as the body.  Archive
is at http://www.stanford.edu/group/networking/netlists/
Prev by Date: RE: Solved? - Web Redirect with an "exception" to go to windowsupdate.com??
Next by Date: [no subject]
Previous by thread: RE: Solved? - Web Redirect with an "exception" to go to windowsupdate.com??
Next by thread: [no subject]
Index(es):
- Date
- Thread