BigFix Client Compliance Windows IPSec Framework
The "BigFix Client Compliance (IPSec Framework)" Fixlet site provides self-quarantine capabilities using the BigFix Client Compliance Extension. In this solution, the BES Client restricts or enables inbound and outbound network connectivity based on the compliance status of the computer (but still passing BES network traffic to allow management of the computer through BES).
The following content is available in the "BigFix Client Compliance (IPSEC Framework)" Fixlet site:Fixlet Messages
- IPSec - Automatically Quarantine New Clients: This Fixlet message ensures that when a new workstation computer or laptop first joins the network, it will be quarantined. This Fixlet message should be applied before any other IPSec Fixlet messages. It is recommended that you deploy this as a policy action to ensure that any new computers joining the network will be automatically quarantined until it can be determined that they are in compliance.
- IPSec - Determine Compliance: This Fixlet message will determine whether or not a client computer is in compliance with security standards specified within the installed compliance document. The Fixlet message will become relevant periodically (the current setting is every 5 minutes). It is recommended that you deploy this Fixlet as a policy action so that the compliance status of computers on the network will be periodically evaluated.
- IPSec - Quarantine Needed: If the computer in question is NOT in compliance and is NOT already in quarantine, then this Fixlet message will quarantine the computer, leaving ONLY the communication between the BES client and the BES server open. When you take this action from the BES console, use the options under the Message tab to send a notification message to users. It is recommended that you deploy this Fixlet message as a policy action.
- IPSec - Quarantine No Longer Needed: If a client computer is quarantined and it is in compliance, then this Fixlet will remove the computer from quarantine. When you take this action from the BES console, use the options under the Message tab to send a notification message to users. It is recommended you deploy this Fixlet message as a policy action.
Task
- IPSec - Quarantine Override: This task will take a computer out of quarantine regardless of its compliance status. This is meant to be a temporary measure to release a computer from quarantine. The action will install a compliance document containing one compliance expression that always evaluate to true, causing the client to be in compliance. The next part of the action takes the computer out of quarantine. This two-part action ensures that any policy actions already in effect will not return the computer to the quarantined state.
Analysis
- IPSec - Compliance Evaluation Information: Retrieves the current compliance and quarantine statuses on computers with the BigFix Client Compliance Extension installed.
Note: The "Compliance Status" is calculated based on the results of the last compliance evaluation, while the "Quarantine Status" property is determined by the results of quarantine actions. A computer that is out of quarantine is not necessarily in compliance, and vice versa. If the compliance and quarantine statuses are inconsistent, make sure that your determine compliance and quarantine policy actions are set up correctly.
Note: Once a client computer has been quarantined, the BES console administrator should apply any necessary Fixlet messages or custom actions to bring that computer into compliance. At that time, the "IPSec - Quarantine No Longer Needed" Fixlet message will become relevant and it can be removed from quarantine. The BES console administrator can automate remediation and removal of computers from quarantine by deploying the appropriate Fixlet messages as policy actions.
Note: This Fixlet site is designed to be used in conjunction with the "BigFix Client Compliance (IPSEC Framework)" Fixlet site. More Information about BigFix Client Compliance can be found here.