Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
0
Helpful
4
Replies

Only allowing VPN clients to be used from company provided computers

harton
Level 1
Level 1

‎12-10-2002 07:10 PM - edited ‎02-21-2020 12:13 PM

Has anyone been successful in preventing users from setting up a VPN tunnel from their non-business computers? If so, what methods are you using?

Labels:
0 Helpful
4 Replies 4

travis-dennis_2
Level 7
Level 7

‎12-10-2002 07:32 PM

Please forgive if I am off but if memory serves you can require any computer that connects to a VPN concentrator (not sure about routers) to have a certificate that is issued by the concentrator. Since the admin is in charge of issuing the certificate you control who can log on. I think also if you install the software and configure the group password yourself then they don't know it and cannot connect from a PC the admin did not set up. On a router I would think an access list based on MAC addresses might do the trick. I may be way off in left field though. I am up past my bedtime and my very pregnant wife is mad at me again so it's hard for me to think straight right now.

0 Helpful

gchason
Level 1
Level 1
In response to travis-dennis_2

‎12-11-2002 05:03 AM

Digital certificates alone will not solve this issue. A certificate could be exported from a company computer and imported to a non- company computer.

0 Helpful

sconnolly
Level 1
Level 1

‎12-17-2002 12:13 PM

One way to handle this would be to use the Cooperative Enforcement feature that Cisco and Zone Labs has come up with. You can specify, in the group config, that a client computer must have a Zone Labs enpoint security product installed before they can connect to the VPN concentrator.

Zone Labs has an enterprise product that is called Integrity. This is a centrally managed endpoint security solution. A client is installed on the workstation, and the security policy is pushed down to the client from a central server. You can specify in the VPN group that the user must have Integrity installed, rather than just the free version of Zonealarm.

For more info on Integrity check out this link. http://www.zonelabs.com/store/content/company/corpsales/intOverview.jsp

0 Helpful

tgroth
Level 1
Level 1
In response to sconnolly

‎12-18-2002 12:59 PM

Also I wouldn’t recommend using the group password and a security tool. The VPN group profile can be exported from one computer and imported to another computer with ease. There might be a setting to I am not aware of to stop users from importing and exporting. If so they could just copy the profile from the hard drive. Of course the end user will still need to authenticate to your domain before they can gain access. My company requires the Zone Labs Integrity agent to be running before a user even gets to a password prompt. That seems to be the most successful deterrent for us. Another item you might want to look into is some kind of two-factor authentication device. With two-factor authentication users need a pin number and a token to generate a password that changes every so often (the time intervolves can be set to what ever you desire) and users are not logging with a static/reusable password. RSA Secure ID has both software and hardware tokens. http://www.rsasecurity.com

0 Helpful
Customers Also Viewed These Support Documents