Questions

How to deny Lan resource access to non authorized computer

Tags:
+
0 Votes
Locked

How to deny Lan resource access to non authorized computer

fabianodepaula
We are a small company using Cisco VPn for remote users, one user copied the Cisco profile from his PC and was able to connect to our network with his personal MAC laptop, we are using Domain authentication. Is it possible to block unauthorized computers from connecting to the VPN. i see this as a problem since any user that has an AD account could simply install cisco VPN software on their home pcs and connect to our resources with any computer.
  • +
    0 Votes
    warpedlogic

    You could implement an access list on the vpn router in your network that limits what IP addresses are allowed to access the vpn tunnel. The downside to this is you need to get all the employee's home IP addresses and would have to add them as their modem dhcp leases expires. The good news is usually modems are only given a block of 2 to 3 ip addresses, but that can still become a very ugly acl very quickly depending on how many people are accessing it.

    +
    0 Votes
    robo_dev

    Don't forget that the external IP of all your home PCs is the same, from an ACL standpoint, since it's the router/firewall that the VPN would see from the outside.

    The only possible way I can think of to lock this down is to force the usage of certificates for authentication. But even then, this would simply make it more difficult and complex to setup another computer....

    In general, if the VPN is configured not to allow split tunneling, and the authentication is setup properly, then there is really not a big risk in terms of allowing any PC to make the connection.

    +
    0 Votes
    IcebergTitanic

    The certificate route is one way to go for certain. It is much more complex to set up, but does allow you to assign rights to a specific computer. Once you have the infrastructure in place it's not horribly hard to add a new computer, but it is definitely another layer of complexity added to your mix.

    Another option is to limit logon times for users. If you use RADIUS authentication you should be able to specify what time of the day and what days of the week your users can log on. Since they're most likely to use their home computers in off-hours, this can help alleviate the problem.

    Another way to go would be a bit more complex as well, but you could configure the end-user computers as domain machines, and set up the VPN client for "Start Before Logon" which would then let the computer log in directly to the domain. If you required that and removed your Remote Desktop access, you could limit it to domain machines.

    If your users are operating only from specific locations (like a satellite office or home office) then you could go the more expensive route and give them their own ASA to use there, with port security on the unit to keep other devices from connecting to it, then a site-to-site vpn on the unit itself.

    +
    0 Votes
    igtddave

    I set up a VPN for a client's dr. office. I used the VPN router to restrict the access to not only the internal network but the external network by the MAC address for each individual computer and device (including networked printers) that were connected. MAC address not entered, no access.

  • +
    0 Votes
    warpedlogic

    You could implement an access list on the vpn router in your network that limits what IP addresses are allowed to access the vpn tunnel. The downside to this is you need to get all the employee's home IP addresses and would have to add them as their modem dhcp leases expires. The good news is usually modems are only given a block of 2 to 3 ip addresses, but that can still become a very ugly acl very quickly depending on how many people are accessing it.

    +
    0 Votes
    robo_dev

    Don't forget that the external IP of all your home PCs is the same, from an ACL standpoint, since it's the router/firewall that the VPN would see from the outside.

    The only possible way I can think of to lock this down is to force the usage of certificates for authentication. But even then, this would simply make it more difficult and complex to setup another computer....

    In general, if the VPN is configured not to allow split tunneling, and the authentication is setup properly, then there is really not a big risk in terms of allowing any PC to make the connection.

    +
    0 Votes
    IcebergTitanic

    The certificate route is one way to go for certain. It is much more complex to set up, but does allow you to assign rights to a specific computer. Once you have the infrastructure in place it's not horribly hard to add a new computer, but it is definitely another layer of complexity added to your mix.

    Another option is to limit logon times for users. If you use RADIUS authentication you should be able to specify what time of the day and what days of the week your users can log on. Since they're most likely to use their home computers in off-hours, this can help alleviate the problem.

    Another way to go would be a bit more complex as well, but you could configure the end-user computers as domain machines, and set up the VPN client for "Start Before Logon" which would then let the computer log in directly to the domain. If you required that and removed your Remote Desktop access, you could limit it to domain machines.

    If your users are operating only from specific locations (like a satellite office or home office) then you could go the more expensive route and give them their own ASA to use there, with port security on the unit to keep other devices from connecting to it, then a site-to-site vpn on the unit itself.

    +
    0 Votes
    igtddave

    I set up a VPN for a client's dr. office. I used the VPN router to restrict the access to not only the internal network but the external network by the MAC address for each individual computer and device (including networked printers) that were connected. MAC address not entered, no access.