1E Quarantine

A description of the quarantine feature provided in the client and implemented in the quarantine instructions present in the 1E-Explorer-TachyonCore.zip file.

What is Quarantine?

On Windows, the 1E client is able to prevent communications to or from a target device. This is intended to be reserved for security breaches and other rare circumstances.

What will it do?

Quarantine will prevent all communications except those to the 1E server(s). This allows a 1E administrator to investigate and remove possible malicious software on the device.

Warning

Devices that have been quarantined will only be able to contact 1E. CRL checks must be set to soft. Certificate expiry can cause the client to fail to connect to the switch. If a client is no longer connected to 1E after quarantine, it will remain in quarantine. Please use with care, and please read this documentation carefully before use.

If the 1E Server has 1E Client installed (with 1E client features enabled) then it is possible to quarantine 1E Server like any other device. Therefore, please exercise caution before using this feature, and avoid targeting the server.

How do I quarantine a device?

Before you can use the Quarantine feature, you must upload the 1E-Explorer-TachyonCore.zip DEXPack. This pack contains many instructions, amongst which are the Quarantine instructions described in the table below.

Instruction

Description

Are my devices quarantined? Warning: Please read the description before use.

This question returns a list of devices.

Quarantine selected devices. Warning: Please read the description before use.

This action quarantines all the devices in the scope of the action. Do not run this action without restricting the coverage to the devices you want to quarantine.

Release selected devices from quarantine. Warning: Please read the description before use.

This action releases all the devices in the scope of the action from quarantine.

Note

As you can see, there is a warning attached to the name of each instruction. Quarantine is a powerful solution for use in extreme circumstances and should be used with care. We therefore recommend these instructions have Actioner permissions assigned only to specific users, who are told the instructions must be used carefully.

Tip

If you used the 1E product pack deployment tool to upload the product pack, it will have created or updated an instruction set called 1E Explorer TachyonCore , containing the above instructions. You can move the Quarantine instructions into their own instruction set, for example called High Security, and assign Actioner permissions to individual users or to a custom role.

What do I need to know before I quarantine a device?

Quarantine is available only on Windows, but not available on Windows XP.

Quarantine requires that at least one switch URI and one background channel URI each resolve to IPv4 addresses.

Quarantine will only work if a device's connection to the switch is over IPv4. This is because IPv6 is disabled by the quarantine mechanism.

The CRLChecks setting in the 1E Client configuration file should be set to soft.

As the device will be unable to contact anything but the 1E server, the 1E client will be unable to retrieve CRLs for certificates requiring validation.

CRLChecks can be set to hard, but this can cause the 1E client to lose connection to the switch when the CRL validity period is exceeded.

Quarantine will persist until the Release selected devices from quarantine instruction is received.

If a 1E client cannot be connect to the 1E Server, it will not be possible to issue this command.

Any changes to the routing tables, IPv6 bindings or the hosts file made during quarantine will be reverted when the Release selected devices from quarantine instruction is received.

If the persistent storage of the client is deleted or modified by anything other than 1E whilst in quarantine, the client will not be able to release the device from quarantine properly.

Upgrading, uninstalling, installing or modifying the client installation during quarantine is not supported. Do not upgrade, uninstall or install 1E, or issue an extensibility update whilst the client is under quarantine.

After a release from quarantine the IPv4 loopback address will not be resolvable. A restart is required to fix this.

Quarantining a device will also stop it from being able to see Domain Controllers, so this may cause problems with logging on to the workstation. Cached logons should still work though.