On Fri, 2009-11-06 at 15:19 +0800, mark [at] edgewire wrote: > There's no way of stopping a determined user that wants to bypass > whatever filters or red tape you have in place really but if you're > able to restrict most of the users, would you say no to it? There's > not a single solution to deploy where people can't find a way to use > another device, at least not that I know of. Maybe you could shed some > light on it instead of just pointing out that the MAC address can be > spoofed and would you expect your average run of the mill user know > how to spoof MAC addresses?
We're talking a VPN client here. The "MAC address" that your system will look at to determine if the client is valid is just some bytes in an IP packet. If OpenConnect/vpnc/whatever wants to it can spoof it. You don't need intelligent users. That's the "problem" with this NAC concept: The system only works if you trust your software client. And you have no reason to trust it. IMHO security should not be based on things like these. OTOH I personally think that the situation is fine; NAC/whatever prevents Jane and John Doe from accidentially causing unintended damage through neglect. But it also allows the geeks to connect even though they might not have the same concept of what a valid computing device is. If my companys "policies" on computers were enforced (and some are acutally trying to do just that) I would be forced to use systems that wouldn't let me do things the way I like. Enforced policy => I find another place to work. -- Peter _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
