The remediation server is the component from which policy attributes, such as firewall rule sets, welcome messages, and bitmaps as well as client software components required for updates can be obtained. It can be run on the same Barracuda NG Firewall system as the SHV or, for load balancing reasons, it can be spread out over several Barracuda NG Firewall systems.

SHV and remediation server must always remain accessible to all endpoints regardless of the currently active firewall rule set.

How does the client know at which address the SHV service component may be reached? There are two options here. The first one is that the respective addresses are configured statically within the client configuration on the endpoint. This approach is mandatory if DHCP based address assignment is not used.

In the case of DHCP based address assignment the respective address or addresses are assigned to the client by way of the vendor ID DHCP option (43).

DHCP is also used to make a distinction between own endpoint systems with an installed NG client and the so called guest systems. As guest systems are not able to communicate with SHV they are not assigned any SHV addresses. By way of the DHCP user ID option sent by the client a DHCP server may assign an address from a pool on a separate subnet.

Note that while this approach may easily be circumvented by a skilled human attacker to gain network access, worm and other malware issued with limited intelligence located on visitor's notebooks are typically prevented from quickly spreading out into the principal network.

In this LAN scenario up to three firewall rule sets can be assigned to a secured and monitored endpoint. When the endpoint system goes online and connects to the SHV it will be assigned a "local machine" rule set and a "limited access" rule set. The limited access rule set is the one rule set that comes into effect when the endpoint is diagnosed as unhealthy by the SHV. Note that the quarantine state is not entered immediately as there is a configurable period of time during which the client is given a chance to recover from the current condition, for example by successfully starting a disabled anti-virus (AV) scanner service or updating an obsolete AV pattern file.

As soon as a user logs into the system a different policy may apply to the endpoint now, depending on the identity of the user and various other conditions. The assigned policy attributes may in due cause a different so-called "current user" rule set to be assigned. In contrast to the previous two this rule set is volatile. That means it is cleared when the user logs off or the system is rebooted.

Consequently a notebook that has been used in the office environment and is taken home in the evening will operate there with the most recently installed "local machine" firewall rule set.

Any endpoint whose system state is assessed as unhealthy will have the most recently installed "limited access" rule set activated by the NG client after a configurable grace period.

Barracuda NG Network Access Client can also be used to secure mobile desktops connecting to the corporate LAN through the internet. To this end, NG NAP provides an integrated VPN client. The VPN client will establish a secure connection to a Barracuda NG VPN Service. The NG Network Access Monitor will then communicate through the VPN tunnel with the responsible SHV. From this point on the overall procedure is quite analogous to the LAN scenario. The most notable difference is that the VPN server fully controls the virtual connection. That means that also traffic within the VPN network's collision domain is fully subject to the NG Network Access Control framework. This better control also necessitates that the remediation service component is also active on the very same Barracuda NG Firewall system, which is also hosting the VPN Service.

In the LAN context certain policy attributes together with a "current user" rule set are assigned. This setup supports a maximum of up to three different firewall rule sets. The rationale behind this

7 Barracuda NG Network Access Client - Administrator’s Guide

Page 9
Image 9
Barracuda Networks VERSION SP4 manual Barracuda NG Network Access Client Administrator’s Guide