CSA @ Simultaneous data flux through multiple interfaces : BLOCK

Unanswered Question
Aug 12th, 2009
User Badges:


Guys, I need some help with CSA. My client has the following scenario on it's remote assets:

- Every remote asset have 4 IP interfaces through which the employee is able to connect to networks: Wired, Wi-Fi(a/b/g), 3G via USB and Bluetooth. Being the 3G and BT through their BlackBerry smartphones.

- The user may use only 1 interface at a time, exclusively. Having the wired intf the top priority.

I've tried setting a few rules in order to get that behaviour:

1) Trigger: System State > Intf Wired active(custom set set to monitor the Wired intf only).

Rule: Network Access Control > Block traffic through all other intfs but the Wired.

2) Trigger: System State > Intf Wi-Fi active(custom set set to monitor the Wi-Fi intf only).

Rule: Network Access Control > Block traffic through all other intfs but the Wi-Fi.

And the 3rd and 4th rules are the same but regards the 3G and BT intfs.

The thing is that it won't work as fast and as precise as I need it. It takes way too long before the blocking actually starts happening and the end-user doesn't see that he's actually using just one intf. For instance, if he's connected via the Wired intf, if he turns the Wi-Fi Radio on, he will get the available networks listed and even get an IP address through DHCP by that intf.

Is there any way I can make these blocking more stable and precise? I wish I could make a rule that actually disables the adapter itself, as it would be seen in the OS, for instance in Windows, the red x would be marked upon the Wi-Fi adapter if the Wired adapter is already in use.

Any thoughts?

Thanks in advance!

Att, Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jan.nielsen Fri, 08/14/2009 - 14:44
User Badges:
  • Gold, 750 points or more

Sorry, csa does not control interface up/down, only filters. Why not just use the require vpn module that is already in the csamc, it will block incoming/most outgoing traffic on all interfaces, until either it can reach the csamc or the dns suffix matches the company dns.


This Discussion