[c-nsp] Restricting VPN connections to company hardware?

Peter Rathlev peter at rathlev.dk
Fri Nov 6 02:45:36 EST 2009


On Fri, 2009-11-06 at 15:19 +0800, mark [at] edgewire wrote:
> There's no way of stopping a determined user that wants to bypass  
> whatever filters or red tape you have in place really but if you're  
> able to restrict most of the users, would you say no to it? There's  
> not a single solution to deploy where people can't find a way to use  
> another device, at least not that I know of. Maybe you could shed some  
> light on it instead of just pointing out that the MAC address can be  
> spoofed and would you expect your average run of the mill user know  
> how to spoof MAC addresses?

We're talking a VPN client here. The "MAC address" that your system will
look at to determine if the client is valid is just some bytes in an IP
packet. If OpenConnect/vpnc/whatever wants to it can spoof it. You don't
need intelligent users.

That's the "problem" with this NAC concept: The system only works if you
trust your software client. And you have no reason to trust it. IMHO
security should not be based on things like these.

OTOH I personally think that the situation is fine; NAC/whatever
prevents Jane and John Doe from accidentially causing unintended damage
through neglect. But it also allows the geeks to connect even though
they might not have the same concept of what a valid computing device
is. If my companys "policies" on computers were enforced (and some are
acutally trying to do just that) I would be forced to use systems that
wouldn't let me do things the way I like. Enforced policy => I find
another place to work.

-- 
Peter




More information about the cisco-nsp mailing list