Quarantined Networks
NOTE
Enter a range of ports as follows:
10.0.16.100:53:65
Determining Accessible Services Example
Determining which services to add in the Accessible services area can be tricky. This section details the
steps used to determine all of the accessible services required to allow a quarantined endpoint to access
the Windows Update service and retrieve the required service packs and/or hotfixes.
The following setup is used for this example:
An endpoint that is currently quarantined, or uses the Sentriant AG ES as its DNS server
●
SSH access to the Sentriant AG ES
●
Access to the Sentriant AG MS console (user interface)
●
Access to the endpoint trying to access the Windows Update service
●
To determine the required accessible services:
1 Log into as
~sgtatham/putty/download.html).
2 Enter the following command:
tcpdump -i eth0 -s0 port 53 and host 172.21.20.20
Where:
is the endpoint
host
You can also use the
www.wireshark.org/).
3 Log into the endpoint, open a browser window, and attempt to go to the Windows Update page
(http://update.microsoft.com). Data is produced in the SSH window to the ES.
4 In the SSH window to the ES, the
16:20:22.551309 IP 172.21.20.20.2586 > SA00.domain:
windowsupdate.microsoft.com. (45)
16:20:22.552492 IP SA00.domain > 172.21.20.20.2586:
16:20:50.529861 IP 172.21.20.20.2586 > SA00.domain:
windowsupdate.microsoft.com. (45)
16:20:50.531469 IP SA00.domain > 172.21.20.20.2586:
5 Log into the Sentriant AG MS console using an administrator account.
204
to the ES using an SSH client such as PuTTY
root
flag to output this to a file and view with WireShark
-w
tcpdump
(http://www.chiark.greenend.org.uk/
for this example was as follows:
49734+ A?
49734 NXDomain* 0/1/0 (96)
40773+ A?
40773 NXDomain* 0/1/0 (96)
(http://
Sentriant AG Users' Guide, Version 5.0