CSA @ Simultaneous data flux through multiple interfaces : BLOCK

Unanswered Question
Aug 12th, 2009
User Badges:

Greetings,


Guys, I need some help with CSA. My client has the following scenario on it's remote assets:


- Every remote asset have 4 IP interfaces through which the employee is able to connect to networks: Wired, Wi-Fi(a/b/g), 3G via USB and Bluetooth. Being the 3G and BT through their BlackBerry smartphones.

- The user may use only 1 interface at a time, exclusively. Having the wired intf the top priority.


I've tried setting a few rules in order to get that behaviour:


1) Trigger: System State > Intf Wired active(custom set set to monitor the Wired intf only).


Rule: Network Access Control > Block traffic through all other intfs but the Wired.


2) Trigger: System State > Intf Wi-Fi active(custom set set to monitor the Wi-Fi intf only).


Rule: Network Access Control > Block traffic through all other intfs but the Wi-Fi.


And the 3rd and 4th rules are the same but regards the 3G and BT intfs.


The thing is that it won't work as fast and as precise as I need it. It takes way too long before the blocking actually starts happening and the end-user doesn't see that he's actually using just one intf. For instance, if he's connected via the Wired intf, if he turns the Wi-Fi Radio on, he will get the available networks listed and even get an IP address through DHCP by that intf.


Is there any way I can make these blocking more stable and precise? I wish I could make a rule that actually disables the adapter itself, as it would be seen in the OS, for instance in Windows, the red x would be marked upon the Wi-Fi adapter if the Wired adapter is already in use.


Any thoughts?


Thanks in advance!


Att, Dan



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jan.nielsen Fri, 08/14/2009 - 14:44
User Badges:
  • Gold, 750 points or more

Sorry, csa does not control interface up/down, only filters. Why not just use the require vpn module that is already in the csamc, it will block incoming/most outgoing traffic on all interfaces, until either it can reach the csamc or the dns suffix matches the company dns.

Actions

This Discussion