Re: [c-nsp] Restricting VPN connections to company hardware?
My understanding is the Cisco VPN (IPSEC) client don't have the host integration features that are available in the AnyConnect client (yet). One of the reasons we are doing SSL VPN on ASA is to be able to do the host profiling and do the IT Approved / Other dynamic access policies. You can do a combination of checks that match up to your 'approved' devices. In our case, non-IT standard systems have to run Secure Desktop sessions and only get WebVPN. IT standard systems get AnyConnect with full IP tunneling. Again as folks have said - you are trusting the end client software to do the right thing. So don't expect this to keep out 'the smart kids'. You can cycle through checks and do MD5s, but if someone is motivated and wants to reverse the checks they can spoof it.At that point you just need to back up policy with HR walking someone from the building, and have some way to audit to catch the smart kids who really should know better but think the Corp IT folks are fools. :) -James Scott Granados wrote: Hi, I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here. I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions. We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only? Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restricting VPN connections to company hardware?
I haven't read up the cert authentication much, but what stops the user from moving the cert file to another un-approved device (per the original question) - all you are doing is Two-factor at that point - user but not host based checking correct? -James Matthew White wrote: Hi Scott, Certificate based authentication can meet these needs. This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml -mtw -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Wednesday, November 04, 2009 9:43 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Restricting VPN connections to company hardware? Hi, I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here. I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions. We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only? Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restricting VPN connections to company hardware?
Why is it not possible to check it against the MAC address of the connecting device? Log incoming connections and their MAC address and match it against a list of hardware that has been assigned to the users. On 06-Nov-2009, at 10:00 AM, James Michael Keller wrote: I haven't read up the cert authentication much, but what stops the user from moving the cert file to another un-approved device (per the original question) - all you are doing is Two-factor at that point - user but not host based checking correct? -James Matthew White wrote: Hi Scott, Certificate based authentication can meet these needs. This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml -mtw -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Wednesday, November 04, 2009 9:43 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Restricting VPN connections to company hardware? Hi, I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here. I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions. We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only? Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restricting VPN connections to company hardware?
On Fri, 2009-11-06 at 11:10 +0800, mark [at] edgewire wrote: Why is it not possible to check it against the MAC address of the connecting device? Log incoming connections and their MAC address and match it against a list of hardware that has been assigned to the users. Please state how you expect this not to be spoofed. :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restricting VPN connections to company hardware?
There's no way of stopping a determined user that wants to bypass whatever filters or red tape you have in place really but if you're able to restrict most of the users, would you say no to it? There's not a single solution to deploy where people can't find a way to use another device, at least not that I know of. Maybe you could shed some light on it instead of just pointing out that the MAC address can be spoofed and would you expect your average run of the mill user know how to spoof MAC addresses? On 06-Nov-2009, at 3:12 PM, Peter Rathlev wrote: On Fri, 2009-11-06 at 11:10 +0800, mark [at] edgewire wrote: Why is it not possible to check it against the MAC address of the connecting device? Log incoming connections and their MAC address and match it against a list of hardware that has been assigned to the users. Please state how you expect this not to be spoofed. :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restricting VPN connections to company hardware?
On Fri, 2009-11-06 at 15:19 +0800, mark [at] edgewire wrote: There's no way of stopping a determined user that wants to bypass whatever filters or red tape you have in place really but if you're able to restrict most of the users, would you say no to it? There's not a single solution to deploy where people can't find a way to use another device, at least not that I know of. Maybe you could shed some light on it instead of just pointing out that the MAC address can be spoofed and would you expect your average run of the mill user know how to spoof MAC addresses? We're talking a VPN client here. The MAC address that your system will look at to determine if the client is valid is just some bytes in an IP packet. If OpenConnect/vpnc/whatever wants to it can spoof it. You don't need intelligent users. That's the problem with this NAC concept: The system only works if you trust your software client. And you have no reason to trust it. IMHO security should not be based on things like these. OTOH I personally think that the situation is fine; NAC/whatever prevents Jane and John Doe from accidentially causing unintended damage through neglect. But it also allows the geeks to connect even though they might not have the same concept of what a valid computing device is. If my companys policies on computers were enforced (and some are acutally trying to do just that) I would be forced to use systems that wouldn't let me do things the way I like. Enforced policy = I find another place to work. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Restricting VPN connections to company hardware?
Hi, I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here. I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions. We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only? Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restricting VPN connections to company hardware?
Hi Scott, Certificate based authentication can meet these needs. This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml -mtw -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Wednesday, November 04, 2009 9:43 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Restricting VPN connections to company hardware? Hi, I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here. I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions. We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only? Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another. Any pointers would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/