Determining Accessible Services Example - HP 800 User Manual

Quarantined Networks

Determining Accessible Services Example

7-6
Determining Accessible Services
Example
Determining which services to add in the Accessible services area can be
tricky. This section details the steps used to determine all of the accessible
services required to allow a quarantined endpoint to access the Windows
Update service and retrieve the required service packs and/or hotfixes.
The following setup is used for this example:
An endpoint that is currently quarantined, or uses the NAC 800 ES as
■
its DNS server
■ SSH access to the NAC 800 ES
■ Access to the NAC 800 MS console (user interface)
Access to the endpoint trying to access the Windows Update service
■
To determine the required accessible services:
1. Log into as root to the ES using an SSH client such as PuTTY
www.chiark.greenend.org.uk/~sgtatham/putty/download.html).
2. Enter the following command:
tcpdump -i eth0 -s0 port 53 and host 172.21.20.20
Where:
host is the endpoint
You can also use the -w flag to output this to a file and view with WireShark
(http://www.wireshark.org/).
3. Log into the endpoint, open a browser window, and attempt to go to the
Windows Update page (http://update.microsoft.com). Data is produced in
the SSH window to the ES.
4. In the SSH window to the ES, the tcpdump for this example was as
follows:
16:20:22.551309 IP 172.21.20.20.2586 > SA00.domain:
49734+ A? windowsupdate.microsoft.com. (45)
16:20:22.552492 IP SA00.domain > 172.21.20.20.2586:
49734 NXDomain* 0/1/0 (96)
(http://