we are configuring the Cisco Security Agent for customer who will use the CSAgent to secure their clients worldwide.
One requirement ist the possibility to log on to hotspots. This will normally end up in opening the ports 443 and 80 to every destination resource. But this "rule" makes our customer unhappy. Thus he wants to limit the access to hot spots as far as possible.
Which solution does the CSA offers therefore?
(Our customer saw the possibility to limit the access to a certain period of time. But this made him unhappy, too! Are there other possiblities)
A dynamic app class that allows 443 and 80 for a time period (5 min) is typically the most reliable option. There are a few things you could also try:
1) Use @subnet to restrict hotspot connections to connections on the same subnet (not always reliable)
2) Use connection rate limit to limit the number of 80 and 443 connections allowed
The best way to go is use the pre-defined policy and educate your customer that they can monitor it as well. Going from a time limited connection to something more restrictive is not necessarily needed (and typically leads to administrative overhead.)
I have made some progress by actually doing a lockdown of the other functions of the browser for that limited period of time, like file write to anything other than cookies/temp and no starting other apps from the browser, very strict registry access (most registry access is not needed at all) and then have a notification popup that tells the user about the policy for this offline webbrowser function, so they know that it is for hotspot use and not for regular browsing, as i restrict running activex components and such as well.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...