Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Only allowing VPN clients to be used from company provided computers

Has anyone been successful in preventing users from setting up a VPN tunnel from their non-business computers? If so, what methods are you using?

4 REPLIES

Re: Only allowing VPN clients to be used from company provided c

Please forgive if I am off but if memory serves you can require any computer that connects to a VPN concentrator (not sure about routers) to have a certificate that is issued by the concentrator. Since the admin is in charge of issuing the certificate you control who can log on. I think also if you install the software and configure the group password yourself then they don't know it and cannot connect from a PC the admin did not set up. On a router I would think an access list based on MAC addresses might do the trick. I may be way off in left field though. I am up past my bedtime and my very pregnant wife is mad at me again so it's hard for me to think straight right now.

New Member

Re: Only allowing VPN clients to be used from company provided c

Digital certificates alone will not solve this issue. A certificate could be exported from a company computer and imported to a non- company computer.

New Member

Re: Only allowing VPN clients to be used from company provided c

One way to handle this would be to use the Cooperative Enforcement feature that Cisco and Zone Labs has come up with. You can specify, in the group config, that a client computer must have a Zone Labs enpoint security product installed before they can connect to the VPN concentrator.

Zone Labs has an enterprise product that is called Integrity. This is a centrally managed endpoint security solution. A client is installed on the workstation, and the security policy is pushed down to the client from a central server. You can specify in the VPN group that the user must have Integrity installed, rather than just the free version of Zonealarm.

For more info on Integrity check out this link. http://www.zonelabs.com/store/content/company/corpsales/intOverview.jsp

New Member

Re: Only allowing VPN clients to be used from company provided c

Also I wouldn’t recommend using the group password and a security tool. The VPN group profile can be exported from one computer and imported to another computer with ease. There might be a setting to I am not aware of to stop users from importing and exporting. If so they could just copy the profile from the hard drive. Of course the end user will still need to authenticate to your domain before they can gain access. My company requires the Zone Labs Integrity agent to be running before a user even gets to a password prompt. That seems to be the most successful deterrent for us. Another item you might want to look into is some kind of two-factor authentication device. With two-factor authentication users need a pin number and a token to generate a password that changes every so often (the time intervolves can be set to what ever you desire) and users are not logging with a static/reusable password. RSA Secure ID has both software and hardware tokens. http://www.rsasecurity.com

115
Views
0
Helpful
4
Replies