05-07-2007 11:17 AM
Hi,
Imagine my company has a policy in which only remote access (VPN) should be launched only from company authorized laptops.
Questions:
a) With SSL VPN, could I control access in such a way that only company laptops (or client machines pre-authorized such as staff home machines) could establish the connection successfully to the SSL VPN server?
b) Does it make sense in the first place deploying an SSL VPN solution if my goal is to restrict SSL VPN session access only to company laptops?
I am aware that with the existing Cisco VPN 3000 (IPsec) concentrator, any user could download the client and attempt to connect. However, the process of downloading the client is somehow a way to minimize our exposure.
05-11-2007 12:28 PM
Once a remote computer is allowed access to the VPN, it becomes an extension of your organization?s network. Host security to protect this endpoint device is vital to protect both the data residing on the host and the connection to your internal network.
If you want to know more please click the following link:
http://www.cisco.com/web/about/security/intelligence/05_08_SSL-VPN-Security.html
05-14-2007 05:33 AM
Hi,
That's the problem with Client VPNs, still lives with the traditional way of accessing company network remotely. There should be two level of authentication;
1. First Level (no VPN Tunnel established yet)
- After successfull authentication, a security server will check for specific information from the user PC (i.e. Virus Signature, OS, for Company Issued Laptop - MAC Address)
2. Second Level
- After it successfully check for the information it looks for in item 1, it will trigger a second authentication then it will established VPN tunnel between user PC and company network if authenticated successfully, else it will disconnect the current session.
Dandy
05-14-2007 12:01 PM
If you implement two factor authentication with certificates you could get very close without having to implement some thing like NAC.
Certificates are losing their foo but it still gives much added security against regular Joe users. Depending on your organization this may or may not be a current option. If you have a PKI infrastructure in place you could easily implement this so your company issued machines would connect with a profile that requires a company issued cert for IKE (1st factor) and than their AD/LDAP crudentials (2nd factor).
Daniel
05-14-2007 07:03 PM
Hi Marlon,
Can you post your email, I will send you something that might interest you. It's not nice to post here :)
Dandy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide