cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1414
Views
0
Helpful
4
Replies

SSL VPN and access only from company computers

news2010a
Level 3
Level 3

Hi,

Imagine my company has a policy in which only remote access (VPN) should be launched only from company authorized laptops.

Questions:

a) With SSL VPN, could I control access in such a way that only company laptops (or client machines pre-authorized such as staff home machines) could establish the connection successfully to the SSL VPN server?

b) Does it make sense in the first place deploying an SSL VPN solution if my goal is to restrict SSL VPN session access only to company laptops?

I am aware that with the existing Cisco VPN 3000 (IPsec) concentrator, any user could download the client and attempt to connect. However, the process of downloading the client is somehow a way to minimize our exposure.

4 Replies 4

jbayuka
Level 5
Level 5

Once a remote computer is allowed access to the VPN, it becomes an extension of your organization?s network. Host security to protect this endpoint device is vital to protect both the data residing on the host and the connection to your internal network.

If you want to know more please click the following link:

http://www.cisco.com/web/about/security/intelligence/05_08_SSL-VPN-Security.html

Danilo Dy
VIP Alumni
VIP Alumni

Hi,

That's the problem with Client VPNs, still lives with the traditional way of accessing company network remotely. There should be two level of authentication;

1. First Level (no VPN Tunnel established yet)

- After successfull authentication, a security server will check for specific information from the user PC (i.e. Virus Signature, OS, for Company Issued Laptop - MAC Address)

2. Second Level

- After it successfully check for the information it looks for in item 1, it will trigger a second authentication then it will established VPN tunnel between user PC and company network if authenticated successfully, else it will disconnect the current session.

Dandy

dbellaze
Level 4
Level 4

If you implement two factor authentication with certificates you could get very close without having to implement some thing like NAC.

Certificates are losing their foo but it still gives much added security against regular Joe users. Depending on your organization this may or may not be a current option. If you have a PKI infrastructure in place you could easily implement this so your company issued machines would connect with a profile that requires a company issued cert for IKE (1st factor) and than their AD/LDAP crudentials (2nd factor).

Daniel

Danilo Dy
VIP Alumni
VIP Alumni

Hi Marlon,

Can you post your email, I will send you something that might interest you. It's not nice to post here :)

Dandy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: