SSL VPN and access only from company computers

Unanswered Question
May 7th, 2007
User Badges:

Hi,

Imagine my company has a policy in which only remote access (VPN) should be launched only from company authorized laptops.


Questions:

a) With SSL VPN, could I control access in such a way that only company laptops (or client machines pre-authorized such as staff home machines) could establish the connection successfully to the SSL VPN server?


b) Does it make sense in the first place deploying an SSL VPN solution if my goal is to restrict SSL VPN session access only to company laptops?


I am aware that with the existing Cisco VPN 3000 (IPsec) concentrator, any user could download the client and attempt to connect. However, the process of downloading the client is somehow a way to minimize our exposure.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jbayuka Fri, 05/11/2007 - 12:28
User Badges:
  • Bronze, 100 points or more

Once a remote computer is allowed access to the VPN, it becomes an extension of your organization?s network. Host security to protect this endpoint device is vital to protect both the data residing on the host and the connection to your internal network.


If you want to know more please click the following link:


http://www.cisco.com/web/about/security/intelligence/05_08_SSL-VPN-Security.html



Danilo Dy Mon, 05/14/2007 - 05:33
User Badges:
  • Blue, 1500 points or more

Hi,


That's the problem with Client VPNs, still lives with the traditional way of accessing company network remotely. There should be two level of authentication;

1. First Level (no VPN Tunnel established yet)

- After successfull authentication, a security server will check for specific information from the user PC (i.e. Virus Signature, OS, for Company Issued Laptop - MAC Address)

2. Second Level

- After it successfully check for the information it looks for in item 1, it will trigger a second authentication then it will established VPN tunnel between user PC and company network if authenticated successfully, else it will disconnect the current session.


Dandy

dbellaze Mon, 05/14/2007 - 12:01
User Badges:
  • Bronze, 100 points or more

If you implement two factor authentication with certificates you could get very close without having to implement some thing like NAC.


Certificates are losing their foo but it still gives much added security against regular Joe users. Depending on your organization this may or may not be a current option. If you have a PKI infrastructure in place you could easily implement this so your company issued machines would connect with a profile that requires a company issued cert for IKE (1st factor) and than their AD/LDAP crudentials (2nd factor).


Daniel

Danilo Dy Mon, 05/14/2007 - 19:03
User Badges:
  • Blue, 1500 points or more

Hi Marlon,


Can you post your email, I will send you something that might interest you. It's not nice to post here :)


Dandy

Actions

This Discussion