Isolating endpoints

Tanium Quarantine 3.1.0

With Tanium™ Quarantine you can isolate a Windows, Linux, or Mac endpoint that shows evidence of compromise or other suspicious activity. Use Quarantine to apply, remove, and test for quarantine.

When an endpoint is quarantined, only approved traffic is allowed on the quarantined endpoint. By default, this traffic is allowed only: 

  • Between the Tanium Client on the quarantined endpoint and Tanium Server over port 17472.
  • For essential traffic that is necessary to obtain and resolve IP addresses (DHCP/DNS).

Quarantine includes a safety feature that automatically reverses a quarantine policy that was applied by the tool. After a quarantine policy is applied, the effect of the policy is logged. If the endpoint is able to communicate with Tanium Server, Quarantine logs the successful application of the policy. If a policy prevents the endpoint from communicating with Tanium Server, Quarantine backs out the policy and saves logs in the action folder.

Before you begin

Test the quarantine policy in a lab environment before deploying the policy. Do not apply a policy until its behavior is known and predictable. Incorrectly configured policies can block access to the Tanium Server.

  • Install the Tanium Quarantine solution. For more information, see Install Quarantine.
  • You must have a Content Administrator account for Tanium Console. For more information, see Tanium Core Platform User Guide: Managing Roles.
  • Identify the traffic that is required when an endpoint is under quarantine.

  • You must have a lab machine on your target platform (Windows, Linux, or Mac) on which you can test the quarantine policies. You must be able to physically access the machine or to access it using RDP (Windows) or SSH (Linux, Mac).
  • You must have access to the endpoint that you want to quarantine through a sensor or saved question in the Tanium Console.

Endpoint operating system requirements

Supported Windows versions

  • Windows XP
  • Windows 7
  • Windows 8.1
  • Windows 10
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2012

Supported Linux OS versions

  • RedHat/CentOS 5 IPTables on SYSV
  • RedHat/CentOS 6 IPTables on SYSV
  • RedHat/CentOS 7 Firewalld on Systemd
  • Ubuntu 12,14 UFW on Upstart
  • Ubuntu 15 UFW on Upstart/Systemd

Supported Mac OS versions

  • OSX 10.9 - Mavericks
  • OSX 10.10 - Yosemite
  • OSX 10.11 - El Capitan
  • OSX 10.12 - Sierra

OSX 10.8 - Mountain Lion and earlier releases are based on ipfirewall (IPFW) and are not supported.

Configure Windows endpoints

The Apply Windows IPsec Quarantine package uses Windows IPsec policies to quarantine the endpoint. You can also add custom rules and options, see Create custom quarantine rules for more information.

You cannot use Windows IPsec Quarantine on networks where a domain IPsec policy is already enforced.

Check that the IPsec Policy Agent service is running on the endpoints

Optionally, you can verify that the IPsec Policy Agent is listed as a running service in Windows.

  1. In Tanium™ Interact, ask the question: Get Service Details containing "PolicyAgent" from all machines with Service Details containing "PolicyAgent"
  2. In the table that gets returned, check the results in the following columns.
    • Service Status: Running or Stopped
    • Service Startup Mode: Manual or Automatic
  3. If necessary, drill down into the results to determine which endpoints do not have the IPsec Policy agent running.

(Windows XP only) Deploy quarantine tools

The Quarantine Tools Pack includes a Microsoft policy that IPsec Quarantine uses to quarantine endpoints that are running Microsoft Windows XP. The application of IPsec policy is native to versions of Microsoft Windows later than Microsoft Windows XP and they do not require the tool pack.

To find endpoints that require the quarantine tools pack:

  1. From the Tanium Console, open the Quarantine dashboard.
  2. Click Needs Quarantine Tools Pack (XP only), and select the Windows XP-based endpoints that require the tool pack.
  3. Select Deploy Action. The package wizard opens.
  4. Select Distribute Quarantine Tools. The tool pack is deployed to the selected endpoints.

Configure Linux endpoints

The Apply Linux IPTables Quarantine package quarantines endpoints that are running Linux-based operating systems that support the use of the iptables module.

Verify that endpoints are not using Network Manager

Linux IPTables Quarantine checks to ensure that the iptables module is installed and disables the use of the Network Manager module on endpoints that are targeted for quarantine.

You can check for Linux-based endpoints that are running Network Manager by using the Linux Network Manager sensor to determine if Network Manager is enabled. In Interact, type network manager to find the sensor. This sensor has no parameters.

Configure Mac endpoints

The Apply Mac PF Quarantine package quarantines endpoints that are running Mac OS X operating systems that support the use of Packet Filter (PF) rules. This package creates packet filter rules that isolate endpoints by eliminating communication with network resources. Packet Filter (PF) software must be installed on endpoints that are targeted for quarantine.

Test quarantine on lab endpoints

By default, the quarantine on the lab endpoint blocks all communication except the Tanium Server. You can configure custom rules to define allowed traffic direction, allowed IP addresses, ports, and protocols. For more information about how to create and deploy custom rules, see Create custom quarantine rules .

Do not quarantine without testing the rules configuration in the lab.

  1. Target computers for quarantine.
    1. In Tanium Console, use the Is Windows,Is Linux, or Is Mac sensor to locate an endpoint to quarantine.
    2. Select the entry for True, and click Drill Down.

    3. On the saved questions page, select Computer Name and click Load.

      A Computer Names list displays the names of all computers that are running the selected OS.

    4. Select the lab endpoint as a target and click Deploy Action.

  2. In the Deployment Package field, type the name of the quarantine package that you want to deploy: 
    • Apply Windows IPsec Quarantine
    • Apply Linux IPTables Quarantine
    • Apply Mac PF Quarantine

  3. (Optional) Define quarantine rules and options.
    For more information about quarantine rules, see Create custom quarantine rules .
    • If you already attached a taniumquarantine.dat file to the package you are deploying, you do not need to make any other configurations.
    • Otherwise, select Override Config to apply custom rules to the action.
    • If you are using the options and rules in this package deployment, select any options that you want to enable and enter your custom quarantine rules into the Custom Quarantine Rules field.
  4. Click Show Preview to Continue to preview the targeting criteria for the action. Click Deploy Action.
  5. Verify quarantine of the targeted lab endpoint.

    Confirm that the computer has no available means of communication to resources other than Tanium Server and any endpoints that you configured in custom quarantine rules.

    You can use RDP (Windows) SSH (Linux/Mac), the Ping network utility, or a similar means to confirm that communication is blocked. By default, the only traffic that the quarantine allows is between Tanium Client on the quarantined computer and Tanium Server over port 17472. If the computer is a server that must allow connections to name servers, verify that those connections are allowed to pass through.

  6. Verify the visibility of the quarantined computer to Tanium Server.
    1. Target the lab computer with a question or sensor.
    2. Check the sensor results for the visibility of the quarantined computer.
    3. On the Quarantine dashboard, click Isolated Machines. A single computer is listed with a Yes on the Quarantine: Isolated Machines page.

Action folders are located under the Tanium Client installation folder on the endpoint, usually <Tanium Client>\Downloads\Action_XXXX.log.

Remove quarantine

Deploy the Remove Windows IPsec Quarantine, Remove Mac PF Quarantine, or Remove Linux IPTables Quarantine package to the endpoint to remove the quarantine from the computer. Use RDP (Windows), SSH (Mac/Linux), the Ping utility, or another method to confirm the removal of the quarantine and the normal communication of the test computer.

Create custom quarantine rules

Quarantine rules and options define allowed traffic direction, allowed IP addresses, ports, and protocols. All other traffic is blocked. These rules are in the same format for Windows, Linux and Mac. For custom quarantine rule syntax, see Reference: Custom rules and options.

If you do not define any quarantine rules, the default values are used, which gives the quarantined endpoint access only to the Tanium Server and permits DNS/DHCP traffic.

If you previously provided a Windows IPsec policy file in earlier versions of Quarantine, the IPsec policy overrides the custom quarantine rules.

Test the quarantine policy in a lab environment before deploying the policy. Do not apply a policy until its behavior is known and predictable. Incorrectly configured policies can block access to the Tanium Server.

Options for deploying custom quarantine rules and options

You can define quarantine rules and options by either attaching a configuration file to the package, or by selecting options in the Tanium Console when you deploy a quarantine action.

Attach configuration file to package

You can attach a taniumquarantine.dat configuration file that defines quarantine rules and options to either a new package or the existing Quarantine packages. Then push that package out to the endpoints. For an example taniumquarantine.dat file, see Reference: Custom rules examples.

  1. From the Main Menu, go to Authoring > Packages.
  2. You can either create a new package, or edit one of the existing Quarantine packages: 
    • Apply Windows IPsec Quarantine
    • Apply Mac PF Quarantine
    • Apply Linux IPTables Quarantine.

  3. Update the taniumquarantine.dat file.
    1. To download the current file, click Download .
    2. Remove the file that is currently in the package .
    3. Click Add to upload the updated taniumquarantine.dat file.
  4. Click Save to save the updates to the package.

Select options in user interface when you deploy Quarantine actions

When you deploy the Apply Windows IPsec Quarantine, Apply Mac PF Quarantine, or Apply Linux IPTables Quarantine actions, you can define the quarantine rules and options as a part of that action. For more information, see Test quarantine on lab endpoints.

Reference: Custom rules and options

Custom rules format

The format for custom rules is not case sensitive. You can separate rules with a pipe (|) or put each rule on a new line. Trailing white spaces are not supported. This format is used for both the configuration file and in the user interface.

Direction:Protocol:IPAddress:CIDR:Port
#Comment

Direction

Valid values: IN or OUT
Specifies whether incoming or outgoing traffic is allowed.

Protocol

Valid values: ICMP, TCP, UDP
If you specify ICMP, the ICMP protocol is allowed to communicate to and from the specified addresses. This limitation is because IPSec does not filter ICMP Type/Codes. The filtering is done by ADVFirewall.

IPAddress

Specifies any IPv4 address or you can use ANY for all.

CIDR

Valid values: 0-32 or undefined
Subnet masks in dotted decimal format are not permitted in the input file. Undefined (blank) is same as 32 and uses the IP Address only.

Port

Valid values: 0-65535 or undefined
Leave undefined (blank) to permit all ports. Ranges are not currently supported, only individual ports or all ports can be defined.

When using the Custom Quarantine Rules parameter in the package, the total characters should be 1100 or less. If you need more characters, you can use a custom DAT file.

Quarantine options

You can configure quarantine options in a configuration file or in the deploy action user interface when you quarantine an endpoint.

Configuration file format

OPTION:OptionName:OptionValue

Options

Option Name (Deploy Action screen in Tanium Console) Option Name (configuration file) Description
Allow All DHCP AllDHCP Set to true to allow DHCP traffic to any server.
Default: true
Allow All DNS AllDNS Set to true to allow DNS traffic to any destination.
Default: true
N/A CurrentDNS
  • Set to true to allow DNS traffic to only the Current DNS.
    Default: false
  • Allow All Tanium Servers TaniumServers Set to true to allow Tanium traffic to the Tanium Servers that are defined in your ServerList or Servers configuration on the Tanium Client.
    Default: true
    Allow Alternate Tanium Servers ALTTS Specify the alternate Tanium Server names or other IP addresses. For example, use this option when you want to avoid using DNS during Quarantine. When removed from quarantine, the original Tanium Server is restored.
    Separate with a comma or leave empty for no alternates.
    Validate Tanium Server Availability CheckTS Set to true to validate that the Tanium Server can be reached on the Tanium port. If this validation fails, back out the rules.
    Default: true
    VPN Servers VPNSERVERS

    Specify the VPN servers to automatically create rules for with a comma-separated list. Adding servers creates rules for each host as follows: IP:50/51, UDP:500, 4500 TCP/UDP:443
    Default: NO VPNServers

    Notification Message Notify Specify a string message to notify the user that the system is being quarantined.
    The message limit is 255 characters. Certain characters are not allowed, such as ($), (!), (`), (‘),(*) and some characters require escapes, such as (\"). Work with your TAM to test any special characters before using in production.
    Default: No notification

    Reference: Custom rules examples

    Example for Custom Quarantine Rules field

    IN:UDP:10.0.0.21:32:161|OUT:UDP:10.0.0.21:32:162

    This example defines two rules:

    • Allow SNMP queries (UDP Port 161) from another device at 10.0.0.21.
    • Allow SNMP traps (UDP Port 162) to be sent to a device at 10.0.0.21.

    taniumquarantine.dat sample file

    For DAT files, each entry must be on one line; you cannot use pipe (|) characters to combine lines. Trailing white spaces are not supported.

    #Allow ICMP out to a specific IP Address
    OUT:ICMP:192.168.10.15::0
    #Allow ICMP in from a specific IP Address
    IN:ICMP:192.168.20.10:32:0
    #Allow TCP port 80 in from a class C subnet
    IN:TCP:192.168.1.0:24:80
    #Allow UDP port 161 in from a specific IP Address
    IN:UDP:10.0.0.21:16:161
    #Allow HTTPS (tcp 443) out to a specific class B subnet
    OUT:TCP:192.168.0.0:16:443
    OPTION:ALLDNS:TRUE
    OPTION:CURRENTDNS:FALSE
    OPTION:ALLDHCP:TRUE
    OPTION:TANIUMSERVERS:TRUE
    OPTION:CHECKTS:TRUE
    OPTION:NOTIFY:This Device has been Quarantined

    Last updated: 6/12/2018 10:26 AM | Feedback