[c-nsp] Restricting VPN connections to company hardware?

James Michael Keller jmkeller at houseofzen.org
Thu Nov 5 20:56:59 EST 2009 

My understanding is the Cisco VPN (IPSEC) client don't have the host 
integration features that are available in the AnyConnect client 
(yet).   One of the reasons we are doing SSL VPN on ASA is to be able to 
do the host profiling and do the IT Approved / Other dynamic access 
policies.

You can do a combination of checks that match up to your 'approved' 
devices.  

In our case, non-IT standard systems have to run Secure Desktop sessions 
and only get WebVPN.   IT standard systems get AnyConnect with full IP 
tunneling.

Again as folks have said - you are trusting the end client software to 
do the right thing.  So don't expect this to keep out 'the smart 
kids'.   You can cycle through checks and do MD5s, but if someone is 
motivated and wants to reverse the checks they can spoof it.    At that 
point you just need to back up policy with HR walking someone from the 
building, and have some way to audit to catch the smart kids who really 
should know better but think the Corp IT folks are fools.

:)

-James

Scott Granados wrote:
> Hi,
>    I've been googling but not finding much although I think I'm 
> probably formulating my search incorrectly so I'm hoping for some 
> pointers here.
>    I use ASA 5520 hardware to provide VPN services to end users with 
> Cisco VPN clients and some L2L sessions.  We've been finding that 
> folks are configuring IPhones and other non approved devices to attach 
> to the network. What's the best method to certify that end users are 
> connecting with approved devices only?  Is there a good way say for me 
> to allow company provided laptops but not allow clients from home 
> machines where users duplicate their profile or non-certified end 
> devices like pocket PC devices? I understand how to filter based on 
> client type but this doesn't prevent someone from copying their 
> profile file from one machine to another.   Any pointers would be 
> appreciated.
>
> Thanks
> Scott
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list