------- Original Message ------- On Tuesday, April 18th, 2023 at 8:38 AM, Ishak Micheil <isaa...@gmail.com> wrote:
> Greetings, > I am tasked to identify a solution to detecting users obfuscating their ip, > using verity of VPN services. > > What we've done > - Prevent users from installing software (VPN Cliens) > > - Possibly having a code on endpoints, to collect ip addresses tied to wifi > or LAN connection prior to attaching to VPN service, > > any other ideas? Some people want to debate this ass some sort of political issue, but it's pretty straight forward. This usually is more of a concern at SMBs that don't want to splurge for company managed hardware and ask their employees to BYoD. This then creates anxiety among managers that gets projected down to IT. If you control the VDI system, then you have the ability to see who is connecting. At most companies the VPN software used to connect to the VDI is ALSO company managed, so you can see that too. So, you log all accesses to the VPN on the server side and monitor for trends. You may not be able to stop an employee from giving out access credentials, but you can see when the IP address used to connect the VPN changes. From here, you implement Zero-trust policies where only known IP addresses are able to access the network because you know the IP address, but may not have logged it effectively until now. There are additional layers of control you can add but it ultimately comes down to what a given company is willing to provide for their employees/contractors. I've worked with systems that would make the kind of subcontracting you describe very difficult but in those cases you end up with the employer buying a special wifi router for their staff. A lot of managers will ask for a magical fix without understanding how much effort it takes to lock this down. For us in IT sometimes we just need to map out all the things that would need to be implemented and assign a $$$ value to them. Most companies will decide not to bother at that point. Think of it like an arms race, at what point does your user have to jump through so many hoops that the act of enabling a subcontractor becomes more work than the actual job? Or, we could be Ted and go off on abusive rants about how IT people are autistic for even considering this type of solution. ;) -Ben P.S. Hey Denis, I would have posted this info sooner since it's a pretty interesting question but was discouraged from doing so because Ted was trying to shit on everyone. May the Facts be with me :)
