05-13-2020 06:56 AM
Hello guys,
I have a task to detect and profile Guest OS (like Win10 on Vbox for example) and wanna ask you guys how do you do this, expectially how do you detect avoiding tampering mdm-tlv messaegs, since that can be easily tampered by native tools of hypervisor (VBoxManage for example) since device-type, device-ma can be easily chanched.
Maybe there we have some module for Anyconnect that can be used to detect that Anycoonect running from VM envirolment?
Thank tyou.
05-16-2020 11:04 AM - edited 05-16-2020 11:06 AM
I am not quite sure exactly what you are looking for here. Typically in a server stack you would not enable/run 8021x as this is typically used on host facing ports. However, there are ways to accomplish it if you desire. As far as what I think you are asking in regard to profiling take a peek at the ISE AD probe. This probe allows you to utilize the following attributes: AD-Host-Exists, AD-Join-Point, AD-Operating-System, AD-OS-Version, AD-Service-Pack. Note that the connecting switch will need to be properly configured as a device sensor, and the probe and profiling in ISE will need to be properly configured. This may better assist you: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
Maybe there we have some module for Anyconnect that can be used to detect that Anycoonect running from VM envirolment?
-You may be able to target specific conditions via the ISE Posture module. This is an entirely separate solution in regard to ISE configuration, etc. My suggestion would be to find a unique registry key, piece of software, or anything that differentiates the virtual host versus the physical host. Take a peek here for more details: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273
Not sure if this answers your questions, but hopefully this helps shed some light. Good luck!
05-16-2020 01:34 PM
Unclear what your desired policy is but here are your policy / technology options:
05-22-2020 01:29 AM
Hello.
Let's look at some typical cases regarding VPN access for employees at home -
We have policy of following rules for remote employees that use home PC for accessing to corporate resources (not all but mostly this one can be easily avoided) -
rules:
1. Employees can't use any virtual environment (Vbox, Parralels, Qemu and so on. ( profiling won't work, since we can easily change device-type for example, mac addres, )
2. Employees should use VPN access only from local PC, not from any remote connection, but employees can change VPN profile (VPN Logon Enforcement, VPN Establishment for example) to bypass that rule by tampering vpn profile file.
I agree that EEM will help but in this case we have a lot of BYOD devices that employees use at home, and for some reason we can't make them use EEM agent.
So AD-PROBE is a good solution, but we have BYOD devices, so we don't use corporate devices.
Maybe has someone got any expirenece how we can solve this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide