06-23-2008 02:45 PM - edited 03-09-2019 08:57 PM
Greetings!
Guys, I need some help. One of our customers bought the CSA solution in order to protect and narrow Internet access when an employee is out of the office.
Here is the scenario: If an employee takes one of the company's laptop to his house/hotel/etc and try to access any Internet based service(HTTP, HTTPS, P2P, FTP, Torrent, etc) it is MANDATORY that this person establish a VPN connection, this way all content will be processed by the company's Proxy and Firewall, there isn't split tunnel policy; otherwise all TCP/UDP stream should be BLOCKED.
I'm using the Roaming - Force VPN(action: Query the User, when: MC unreachable & Ethernet Active and NOT when: MC is reachable) and the Cisco VPN Client Rule Modules; there is no Temporary Allow Web Browser rule enabled. But I need some help with the parameters, what happens is that if the user answer yes(allow) to the Query message and does not have a VPN Connection he still manages to access the internet and that's not acceptable.
I need to BLOCK ALL UDP/TCP stream at first, ask the user if the VPN is established, check the status of the VPN connection and then, if is tunnel is UP allow access else block everything until the VPN is established.
Can you guys help me?
Thanks in advance!
Att, Daniel Yamashita
PS: I'm using CSA MC v.5.2.0.263 hot fix(fcs-csamc-hotfix-5.2.0.263-w2k3-k9.zip)
06-23-2008 07:28 PM
hi there
i think the better way is to look at how to use system or user state
in this way the csa will check for example ur client vpn pool will in the range of 10.1.1.0 to 10.1.1.50, so if he has taken this address then one of ur policies will come on effect which is the permit one
otherwise the deny one will stay in operation
just focus on system and user state field
if helpful rate,
thank you
06-24-2008 06:45 AM
Hello 'marwanshawi'!
Unfortunately your suggestion won't work for my case because I can't foresee what range of IP address one can get on an Hotel/Airport Internet Access...It may be the same as the one configured on the VPN pool, it's not probable but it's possible and our customer won't accept that.
But I thank you anyways! Thanks for your time and attention!
Att, Dan
06-24-2008 03:59 PM
hi there
have you seen the options available on the system and user state ?
what i told only an example
u cold make for example if the client didnt not get an ip address whithing ur client private range address then one of ur policies comes to the effect and alot of thing u can do not only based on ip addresses...
rate if helpful
and try it
08-29-2008 08:02 AM
Hello,
Did you manage to get something working. i am too looking for the same.
help appreciated
Thanks
09-01-2008 12:51 AM
any help
09-01-2008 06:12 AM
Greetings "followurself",
Sorry taking this long to answer but yes, I've managed to deploy the CSA as our customer wanted.
I've decided to create my own Rule and Policy Modules. I'm not sure if this is what you need but here is a simple sketch:
CSA-External Access Policies
[Rule Modules >> Windows Rule Modules]
-Name: External_Access
-Operating System: All Windows
-State Conditions: Apply this rule module only if the following state conditions are met
\> When: Ethernet Active and Management Center Not Reachable
\-> Not when: Management Center Reachable
[Rules]
(1)Terminate All
*Type: Network Access Control
*Action: Priority Terminate Process (take precedence)
*When ...: Active FTP Client Applications, Active HTTP Client Applications, Active TCP Client Applications, Active UDP Client Applications, Active UDP Server Applications, Active TCP Server Applications, Instant Messenger Applications
*But not in ...: Cisco VPN Client, Web Browser Applications
*Attempt to act as a client or server for network services: $Ephemeral Port Ranges, $TCP, $TCP Ephemeral server ports, $UDP, $UDP Ephemeral server ports
*Communicating with host addresses: $All_But_Private_Local >> Matching:
*Using these local interfaces:
(2)Priority_Deny-Everything but http,https to local and VPN Peer
*Type: Network Access Control
*Action: Priority Deny (take precedence)
*When ...: Active TCP Client Applications, Active UDP Client Applications
*But not in ...: Cisco VPN Client
*Attempt to act as a client for network services: $FTP Control Channel, $HTTP, $Instant Messenger Protocols, $UDP Ephemeral server ports, $TCP Ephemeral server ports, $FTP Client Data Channel, $Email, $DNS, $ALT-HTTP
*Communicating with host addresses: $All_But_Private_Local
*Using these local interfaces:
(3)Allow Web Browser only to Private Range
*Type: Network Access Control
*Action: Priority Allow (take precedence)
*When ...: Web Browser Timed (custom class, $Web Browser Clients with Remove process from application class after 30 seconds)
*But not in the following class:
*Attempt to act as a client for network services: $DNS, $HTTP, $ALT-HTTP
*Communicating with host addresses: $Only Private Local and VPN Peer IP Addresses >> Matching: 10.0.0.0 10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-255.255, @(local)
*Using these local interfaces:
(4)Warning Message: VPN in NOW
*Type: Network Access Control
*Action: Query User(take precedence) | Query Settings: Establish VPN Connection(Allowed actions = Default Action = Logged = Allow)
*When ...:
*But not in the following class: Cisco VPN Client, MS Logon Setup Applications, MS winlogon
*Attempt to act as a client or server for network services: $TCP Ephemeral server ports, $TCP, $UDP, $UDP Ephemeral server ports
*Communicating with host addresses: $All but 127.0.0.1 >> Matching:
*Using these local interfaces:
The Kit generated contains the following groups:
As you can see the trigger for these rules is the Ethernet Active and if the MC Server is reachable or not. The only way the Pop-Up message could appear is when the MC is unreachable.
I might've mapped a little too much but I it worked great! Let me know if this is what you need. Remember that you should worry more about what to deny than to allow ok?
If there is anything else, don't hesitate to ask.
Regards, Dan
09-03-2008 01:27 AM
Thanks Dan
i shall try and let you know how it goes. I appreciate if you can help me with other questions
All our laptop users have local admin rights. hence they can turn off the CSA. How can i ensure that any user in local admin group apart from the default user administrator can stop or turn off the agent and service
Also these laptops our running in test mode. how can i get the above rule module and the rule modules which protect from day zero attacks,unkown virus , worms to run in protected mode and rest in test mode
Also these laptop users use the same laptop in office when they are in. so availabilty of MC even in LAN becomes a must for them to browse. we dnt have MC in redundancy. and yeah they are configured to use proxy server to browse but they can untick it
Thanks
09-04-2008 07:49 AM
Hi
Use the Agent UI Module to control access to agent settings.
Use the rule override checkbox on a rule module put the module in test mode.
Not sure if the third sentence is a question or not.
Tom
09-05-2008 05:38 AM
Thanks Tom
Can you please tell me what rule modules are available to block unknown virus and worms. i m using version 5.2. since i m in test mode i want to ensure these modules can overide it and run them in protected mode
09-05-2008 11:21 AM
The group "Desktops - All types" works fine for this.
We kept everything in test mode for several weeks until it was tuned properly then went to learn mode for a week and then protect mode.
I still have a few modules in test mode but everything else is protect.
Use your best judgement, it's all you can do.
Tom
09-09-2008 07:17 AM
Dan
i tried with the rules you sent. its not working
can i have your email id. i shall what i configured. i will also submit it here
Thanks
09-09-2008 07:25 AM
This is what the rule explains
Network access control
Irrespective of any other rules,
Attempts to connect to any server and accept connections from any client whose address is contained in address sets All_But_Private_Local using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services TCP [V5.0 r229], UDP Ephemeral server ports [V5.0 r229], UDP [V5.0 r229], TCP Ephemeral server ports [V5.0 r229], Email [V5.0 r229], Ephemeral Port Ranges [V5.0 r229] by processes in application class
1023 [test]
In the absence of any applicable 'priority terminate process' rules,
Attempts to connect to any server whose address is contained in address sets All_But_Private_Local using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services FTP Client Data Channel [V5.0 r229], FTP Control Channel [V5.0 r229], Instant Messenger Protocols [V5.0 r229], HTTP [V5.0 r229], UDP Ephemeral server ports [V5.0 r229], Email [V5.0 r229], TCP Ephemeral server ports [V5.0 r229], ALT-HTTP [V5.0 r229], DNS [V5.0 r229] by processes in application class
1024 [test]
In the absence of any applicable 'priority deny' or 'priority terminate process' rules,
Attempts to connect to any server whose address is contained in address sets Only Private Local and VPN peer ip using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services HTTP [V5.0 r229], DNS [V5.0 r229], ALT-HTTP [V5.0 r229] by processes in application class Web Browser Timed will be allowed. An event will be logged when the rule is triggered.
1025 [test]
In the absence of any applicable 'priority deny', 'priority terminate process' or 'allow' rules,
Attempts to connect to any server and accept connections from any client whose address is contained in address sets All address but not localhost using local addresses contained in address ranges 0.0.0.0-255.255.255.255 for network services TCP [V5.0 r229], TCP Ephemeral server ports [V5.0 r229], UDP [V5.0 r229], UDP Ephemeral server ports [V5.0 r229] by processes in application class
1026 [test]
now when i disconnect VPN i wont be able to reach MC but i can still browse
09-09-2008 07:45 AM
the rule module is configured for
met system state conditions
when Management center not reachable (v5.0 r229)
and none of the following
where management center reachable (v5.0 r229)
i didnt find Ethernet Active and Management center not reachable
Also within rules
theres no using these local interfaces, instead its using local addresses
Thanks in Advance
09-10-2008 12:36 PM
Hi Dan
any response will be appreciated
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide