[c-nsp] Cisco ASA and ipads

Christopher J. Pilkington cjp at 0x1.net
Mon Jan 30 01:23:13 EST 2012


You could utilize the WebVPN Endpoint Assessment feature to identify
certain configuration features of your organization's laptops, e.g.,
require Windows XP SP3 and John Doe's Antivirus version 23.42. Then
you could create another policy that does not match these parameters
for your "non-trusted" endpoints.

I still suspect Endpoint Assessment can be gamed by a determined
adversary, as I believe it looks for the presence of registry settings
to confirm these details  Better to ensure your organization has
control of the laptops. If an attacker (be it your employee or someone
else) controls the machine, i.e., has root/Administrator, none of
these protections hold. "Non-exportable" private keys are only
non-exportable in a cosmetic sense.

You could consider smart card certificates if your laptop hardware
includes readers. (Since IIRC iPads do not yet have smart card
readers.)




On Jan 30, 2012, at 0:37, "Thomason, Simon" <Simon.Thomason at racq.com.au> wrote:

> Software client but I was thinking if the client could send information about itself (dot1x) part then this might work. Sorry if I have miss understood dot1x but thought that the same kind of functionality could be use such as for wireless with the vpn client.
>
> Just trying to find out what can be done right now.
>
>
> -----Original Message-----
> From: Christopher J. Pilkington [mailto:cjp at 0x1.net]
> Sent: Monday, 30 January 2012 3:16 PM
> To: Thomason, Simon
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco ASA and ipads
>
> On Jan 29, 2012, at 22:28, "Thomason, Simon" <Simon.Thomason at racq.com.au> wrote:
>
>> Just did a quick search to see if the ASA would support Dot1x and does not look like they do as this might have been a different option.
>
> Perhaps I'm misunderstanding your topology here... are these laptops
> entering your network with a software VPN client, or do you have a
> router at their site terminating the VPN tunnel?
>
> If the former, I don't see how 802.1x fits.
>
> -cjp
>
>
> Renew your membership online, simply visit http://www.racq.com.au/my_racq/make_a_payment today.
>
> Please Note: If you are not the intended recipient, please delete this email as its use is prohibited.  RACQ does not warrant or represent that this email is free from viruses or defects.  If you do not wish to receive any further commercial electronic messages from RACQ please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05.
> Please Note:
> If you are not the intended recipient, please delete this email as its use is prohibited.
> RACQ does not warrant or represent that this email is free from viruses or defects.
> If you do not wish to receive any further commercial electronic messages from RACQ
> please e-mail unsubscribe at racq.com.au or contact RACQ on 13 19 05.



More information about the cisco-nsp mailing list