Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

Restricting VPN connections to company hardware?

  

 
Cisco nsp RSS feed   Index | Next | Previous | View Threaded


gsgranados at comcast

Nov 4, 2009, 9:42 AM

Post #1 of 12 (1629 views)
Permalink
Restricting VPN connections to company hardware?
Hi,
I've been googling but not finding much although I think I'm probably
formulating my search incorrectly so I'm hoping for some pointers here.
I use ASA 5520 hardware to provide VPN services to end users with Cisco
VPN clients and some L2L sessions. We've been finding that folks are
configuring IPhones and other non approved devices to attach to the network.
What's the best method to certify that end users are connecting with
approved devices only? Is there a good way say for me to allow company
provided laptops but not allow clients from home machines where users
duplicate their profile or non-certified end devices like pocket PC devices?
I understand how to filter based on client type but this doesn't prevent
someone from copying their profile file from one machine to another. Any
pointers would be appreciated.

Thanks
Scott

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


mawhi at vestas

Nov 4, 2009, 12:26 PM

Post #2 of 12 (1563 views)
Permalink
Re: Restricting VPN connections to company hardware? [In reply to]
Hi Scott,

Certificate based authentication can meet these needs.

This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml


-mtw



> -----Original Message-----
> From: cisco-nsp-bounces [at] puck
> [mailto:cisco-nsp-bounces [at] puck] On Behalf Of Scott Granados
> Sent: Wednesday, November 04, 2009 9:43 AM
> To: cisco-nsp [at] puck
> Subject: [c-nsp] Restricting VPN connections to company hardware?
>
> Hi,
> I've been googling but not finding much although I think
> I'm probably
> formulating my search incorrectly so I'm hoping for some
> pointers here.
> I use ASA 5520 hardware to provide VPN services to end
> users with Cisco
> VPN clients and some L2L sessions. We've been finding that folks are
> configuring IPhones and other non approved devices to attach
> to the network.
> What's the best method to certify that end users are connecting with
> approved devices only? Is there a good way say for me to
> allow company
> provided laptops but not allow clients from home machines where users
> duplicate their profile or non-certified end devices like
> pocket PC devices?
> I understand how to filter based on client type but this
> doesn't prevent
> someone from copying their profile file from one machine to
> another. Any
> pointers would be appreciated.
>
> Thanks
> Scott
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


jmkeller at houseofzen

Nov 5, 2009, 5:56 PM

Post #3 of 12 (1558 views)
Permalink
Re: Restricting VPN connections to company hardware? [In reply to]
My understanding is the Cisco VPN (IPSEC) client don't have the host
integration features that are available in the AnyConnect client
(yet). One of the reasons we are doing SSL VPN on ASA is to be able to
do the host profiling and do the IT Approved / Other dynamic access
policies.

You can do a combination of checks that match up to your 'approved'
devices.

In our case, non-IT standard systems have to run Secure Desktop sessions
and only get WebVPN. IT standard systems get AnyConnect with full IP
tunneling.

Again as folks have said - you are trusting the end client software to
do the right thing. So don't expect this to keep out 'the smart
kids'. You can cycle through checks and do MD5s, but if someone is
motivated and wants to reverse the checks they can spoof it. At that
point you just need to back up policy with HR walking someone from the
building, and have some way to audit to catch the smart kids who really
should know better but think the Corp IT folks are fools.

:)

-James

Scott Granados wrote:
> Hi,
> I've been googling but not finding much although I think I'm
> probably formulating my search incorrectly so I'm hoping for some
> pointers here.
> I use ASA 5520 hardware to provide VPN services to end users with
> Cisco VPN clients and some L2L sessions. We've been finding that
> folks are configuring IPhones and other non approved devices to attach
> to the network. What's the best method to certify that end users are
> connecting with approved devices only? Is there a good way say for me
> to allow company provided laptops but not allow clients from home
> machines where users duplicate their profile or non-certified end
> devices like pocket PC devices? I understand how to filter based on
> client type but this doesn't prevent someone from copying their
> profile file from one machine to another. Any pointers would be
> appreciated.
>
> Thanks
> Scott
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


jmkeller at houseofzen

Nov 5, 2009, 6:00 PM

Post #4 of 12 (1555 views)
Permalink
Re: Restricting VPN connections to company hardware? [In reply to]
I haven't read up the cert authentication much, but what stops the user
from moving the cert file to another un-approved device (per the
original question) - all you are doing is Two-factor at that point -
user but not host based checking correct?

-James

Matthew White wrote:
> Hi Scott,
>
> Certificate based authentication can meet these needs.
>
> This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates.
>
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
>
>
> -mtw
>
>
>
>
>> -----Original Message-----
>> From: cisco-nsp-bounces [at] puck
>> [mailto:cisco-nsp-bounces [at] puck] On Behalf Of Scott Granados
>> Sent: Wednesday, November 04, 2009 9:43 AM
>> To: cisco-nsp [at] puck
>> Subject: [c-nsp] Restricting VPN connections to company hardware?
>>
>> Hi,
>> I've been googling but not finding much although I think
>> I'm probably
>> formulating my search incorrectly so I'm hoping for some
>> pointers here.
>> I use ASA 5520 hardware to provide VPN services to end
>> users with Cisco
>> VPN clients and some L2L sessions. We've been finding that folks are
>> configuring IPhones and other non approved devices to attach
>> to the network.
>> What's the best method to certify that end users are connecting with
>> approved devices only? Is there a good way say for me to
>> allow company
>> provided laptops but not allow clients from home machines where users
>> duplicate their profile or non-certified end devices like
>> pocket PC devices?
>> I understand how to filter based on client type but this
>> doesn't prevent
>> someone from copying their profile file from one machine to
>> another. Any
>> pointers would be appreciated.
>>
>> Thanks
>> Scott
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


mark at edgewire

Nov 5, 2009, 7:10 PM

Post #5 of 12 (1552 views)
Permalink
Re: Restricting VPN connections to company hardware? [In reply to]
Why is it not possible to check it against the MAC address of the
connecting device? Log incoming connections and their MAC address and
match it against a list of hardware that has been assigned to the users.

On 06-Nov-2009, at 10:00 AM, James Michael Keller wrote:

> I haven't read up the cert authentication much, but what stops the
> user from moving the cert file to another un-approved device (per
> the original question) - all you are doing is Two-factor at that
> point - user but not host based checking correct?
>
> -James
>
> Matthew White wrote:
>> Hi Scott,
>>
>> Certificate based authentication can meet these needs.
>>
>> This document is just a starting point -- the client certificate
>> installation procedure is onerous. If you have a MS environment
>> it's easier to push out certs with group policy objects than making
>> your end users download and install certificates.
>>
>> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
>>
>>
>> -mtw
>>
>>
>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces [at] puck [mailto:cisco-nsp-
>>> bounces [at] puck] On Behalf Of Scott Granados
>>> Sent: Wednesday, November 04, 2009 9:43 AM
>>> To: cisco-nsp [at] puck
>>> Subject: [c-nsp] Restricting VPN connections to company hardware?
>>>
>>> Hi,
>>> I've been googling but not finding much although I think I'm
>>> probably formulating my search incorrectly so I'm hoping for some
>>> pointers here.
>>> I use ASA 5520 hardware to provide VPN services to end users
>>> with Cisco VPN clients and some L2L sessions. We've been finding
>>> that folks are configuring IPhones and other non approved devices
>>> to attach to the network. What's the best method to certify that
>>> end users are connecting with approved devices only? Is there a
>>> good way say for me to allow company provided laptops but not
>>> allow clients from home machines where users duplicate their
>>> profile or non-certified end devices like pocket PC devices? I
>>> understand how to filter based on client type but this doesn't
>>> prevent someone from copying their profile file from one machine
>>> to another. Any pointers would be appreciated.
>>>
>>> Thanks
>>> Scott
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp [at] puck
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


randy_94108 at yahoo

Nov 5, 2009, 8:18 PM

Post #6 of 12 (1552 views)
Permalink
Re: Restricting VPN connections to company hardware? [In reply to]
..with user certs, nothing stops the user from importing it to another un-approved machine..one reason at my last job we moved to machine certs/appliance based ssl vpn solution.

--- On Thu, 11/5/09, James Michael Keller <jmkeller [at] houseofzen> wrote:


From: James Michael Keller <jmkeller [at] houseofzen>
Subject: Re: [c-nsp] Restricting VPN connections to company hardware?
To: "Matthew White" <mawhi [at] vestas>
Cc: "cisco-nsp [at] puck" <cisco-nsp [at] puck>
Date: Thursday, November 5, 2009, 6:00 PM


I haven't read up the cert authentication much, but what stops the user from moving the cert file to another un-approved device (per the original question) - all you are doing is Two-factor at that point - user but not host based checking correct?

-James

Matthew White wrote:
> Hi Scott,
>
> Certificate based authentication can meet these needs.
>
> This document is just a starting point -- the client certificate installation procedure is onerous. If you have a MS environment it's easier to push out certs with group policy objects than making your end users download and install certificates.
>
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
>
>
> -mtw
>

>   
>> -----Original Message-----
>> From: cisco-nsp-bounces [at] puck [mailto:cisco-nsp-bounces [at] puck] On Behalf Of Scott Granados
>> Sent: Wednesday, November 04, 2009 9:43 AM
>> To: cisco-nsp [at] puck
>> Subject: [c-nsp] Restricting VPN connections to company hardware?
>>
>> Hi,
>>     I've been googling but not finding much although I think I'm probably formulating my search incorrectly so I'm hoping for some pointers here.
>>     I use ASA 5520 hardware to provide VPN services to end users with Cisco VPN clients and some L2L sessions.  We've been finding that folks are configuring IPhones and other non approved devices to attach to the network. What's the best method to certify that end users are connecting with approved devices only?  Is there a good way say for me to allow company provided laptops but not allow clients from home machines where users duplicate their profile or non-certified end devices like pocket PC devices? I understand how to filter based on client type but this doesn't prevent someone from copying their profile file from one machine to another.   Any pointers would be appreciated.
>>
>> Thanks
>> Scott
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>     
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

_______________________________________________
cisco-nsp mailing list  cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


peter at rathlev

Nov 5, 2009, 11:12 PM

Post #7 of 12 (1558 views)
Permalink
Re: Restricting VPN connections to company hardware? [In reply to]
On Fri, 2009-11-06 at 11:10 +0800, mark [at] edgewire wrote:
> Why is it not possible to check it against the MAC address of the
> connecting device? Log incoming connections and their MAC address and
> match it against a list of hardware that has been assigned to the users.

Please state how you expect this not to be spoofed. :-)

--
Peter


_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


mark at edgewire

Nov 5, 2009, 11:19 PM

Post #8 of 12 (1552 views)
Permalink
Re: Restricting VPN connections to company hardware? [In reply to]
There's no way of stopping a determined user that wants to bypass
whatever filters or red tape you have in place really but if you're
able to restrict most of the users, would you say no to it? There's
not a single solution to deploy where people can't find a way to use
another device, at least not that I know of. Maybe you could shed some
light on it instead of just pointing out that the MAC address can be
spoofed and would you expect your average run of the mill user know
how to spoof MAC addresses?




On 06-Nov-2009, at 3:12 PM, Peter Rathlev wrote:

> On Fri, 2009-11-06 at 11:10 +0800, mark [at] edgewire wrote:
>> Why is it not possible to check it against the MAC address of the
>> connecting device? Log incoming connections and their MAC address and
>> match it against a list of hardware that has been assigned to the
>> users.
>
> Please state how you expect this not to be spoofed. :-)
>
> --
> Peter
>
>

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


peter at rathlev

Nov 5, 2009, 11:45 PM

Post #9 of 12 (1548 views)
Permalink
Re: Restricting VPN connections to company hardware? [In reply to]
On Fri, 2009-11-06 at 15:19 +0800, mark [at] edgewire wrote:
> There's no way of stopping a determined user that wants to bypass
> whatever filters or red tape you have in place really but if you're
> able to restrict most of the users, would you say no to it? There's
> not a single solution to deploy where people can't find a way to use
> another device, at least not that I know of. Maybe you could shed some
> light on it instead of just pointing out that the MAC address can be
> spoofed and would you expect your average run of the mill user know
> how to spoof MAC addresses?

We're talking a VPN client here. The "MAC address" that your system will
look at to determine if the client is valid is just some bytes in an IP
packet. If OpenConnect/vpnc/whatever wants to it can spoof it. You don't
need intelligent users.

That's the "problem" with this NAC concept: The system only works if you
trust your software client. And you have no reason to trust it. IMHO
security should not be based on things like these.

OTOH I personally think that the situation is fine; NAC/whatever
prevents Jane and John Doe from accidentially causing unintended damage
through neglect. But it also allows the geeks to connect even though
they might not have the same concept of what a valid computing device
is. If my companys "policies" on computers were enforced (and some are
acutally trying to do just that) I would be forced to use systems that
wouldn't let me do things the way I like. Enforced policy => I find
another place to work.

--
Peter


_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


gert at greenie

Nov 6, 2009, 1:56 AM

Post #10 of 12 (1551 views)
Permalink
Re: Restricting VPN connections to company hardware? [In reply to]
Hi,

On Fri, Nov 06, 2009 at 11:10:14AM +0800, mark [at] edgewire wrote:
> Why is it not possible to check it against the MAC address of the
> connecting device? Log incoming connections and their MAC address and
> match it against a list of hardware that has been assigned to the users.

What's a MAC address?

Seriously: if someone is trying to play tricks with your security policy,
why are you assuming that he is not going to enter whatever MAC address
you want to see into his client?

gert

--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert [at] greenie
fax: +49-89-35655025 gert [at] net


ak at gaaga

Nov 6, 2009, 4:59 AM

Post #11 of 12 (1540 views)
Permalink
Re: Restricting VPN connections to company hardware? [In reply to]
Hi, James!

It is possible to make private key non-exportable. So, once installed
certificate can't be exported in future.

Cheers.

On Fri, Nov 6, 2009 at 4:00 AM, James Michael Keller <
jmkeller [at] houseofzen> wrote:

> I haven't read up the cert authentication much, but what stops the user
> from moving the cert file to another un-approved device (per the original
> question) - all you are doing is Two-factor at that point - user but not
> host based checking correct?
>
> -James
>
>
> Matthew White wrote:
>
>> Hi Scott,
>>
>> Certificate based authentication can meet these needs.
>>
>> This document is just a starting point -- the client certificate
>> installation procedure is onerous. If you have a MS environment it's easier
>> to push out certs with group policy objects than making your end users
>> download and install certificates.
>>
>>
>> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
>>
>>
>> -mtw
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces [at] puck [mailto:
>>> cisco-nsp-bounces [at] puck] On Behalf Of Scott Granados
>>> Sent: Wednesday, November 04, 2009 9:43 AM
>>> To: cisco-nsp [at] puck
>>> Subject: [c-nsp] Restricting VPN connections to company hardware?
>>>
>>> Hi,
>>> I've been googling but not finding much although I think I'm probably
>>> formulating my search incorrectly so I'm hoping for some pointers here.
>>> I use ASA 5520 hardware to provide VPN services to end users with
>>> Cisco VPN clients and some L2L sessions. We've been finding that folks are
>>> configuring IPhones and other non approved devices to attach to the network.
>>> What's the best method to certify that end users are connecting with
>>> approved devices only? Is there a good way say for me to allow company
>>> provided laptops but not allow clients from home machines where users
>>> duplicate their profile or non-certified end devices like pocket PC devices?
>>> I understand how to filter based on client type but this doesn't prevent
>>> someone from copying their profile file from one machine to another. Any
>>> pointers would be appreciated.
>>>
>>> Thanks
>>> Scott
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp [at] puck
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


gururug at gmail

Nov 6, 2009, 5:25 AM

Post #12 of 12 (1552 views)
Permalink
Re: Restricting VPN connections to company hardware? [In reply to]
You may be able to find some extensions for NAC/NAP that will check the
device itself for something that says it's bona-fide company issue before
issue of ip.


Alternatively you could run single ip per user / crypto with MAC filtering (
i'd by pass this by routing / natting my home devices through my company
laptop )
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.