RE: restricting mobile users internet access

["Scott" <whip () supportmenot com>]

My apologies for the late response.

You said you had your proxy setup as a transparent proxy, therefore there is
no need to specify the proxy in the users browser.

Connecting should be able to go like this.
1. Connect to hotel DUC, WiFi, Ethernet, etc...
2. Open IE to view ISP access page (will work, as VPN is not up, and no
proxy specified in IE).
3. Connect to VPN
4. Browse net using your transparent proxy.

The above seems a little simple for the amount of detail you have put into
your emails, so what have I missed?

I used to look after a client who used iPass extensively. It is a separate
application which is used to make the connection - not from within IE. Once
the connection is up and running from this app, the VPN can then be brought
up without using IE.


Cheers,
Scott

Need relief from IT support stress?
http://supportmenot.com
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of PaulD
Sent: Friday, 18 January 2008 9:11 PM
To: security-basics () securityfocus com
Subject: Re: restricting mobile users internet access

Thanks everyone for the feedback..

The IT policy is not simply limited to enforcing restrictions at the
client end. The systems don't have CD-ROM's and the connecting ports
(USB, Serial, Parallel, etc) are disabled at a BIOS level, and are
secured. If staff are that determined to get around all these
mechanisms, then that's a different issue. The end-user client
anti-virus/anti-malware/etc is all fine on the corporate notebook
images.

Esentially the issue here is being able to restrict staff (using out
coporate notebook image) into using our net proxies when on the road.
We can restrict the browser controls to prevent staff changing the
proxy settings. Transparent proxies are in place, with domain policies
in place to setup .PAC files for the autoproxy config. all of this is
straightforward..

But if we lock the proxy settings down this leads to a problem if, for
example, you're in a hotel / WiFi zone, where you must be able to
access the ISPs site to activate the your internet access account. So
by blocking all outbound traffic, except to your proxy, then you can't
get the internet account established.

> From what I can see the i-pass product will pre-authorise your
internet access from the hotel, wifi point (or whereever)..taking
control of the service cost charge (which you get billed from ipass
and not the local ISP). But this is only if they are associated with
the internet provider, from what I can see.. and this would solve my
problem, as I could lock out the internet acess only allowing ipass to
talk to the 'non-proxied' internet directly, but there are many places
that don't support ipass. So that put's a spanner in the works.

Now I'm sure I'm not the only person in the world that has this type
of question posed to them, there must be other large organisations out
there that have had a similar question posed to their IT department? I
would be really intested to know what approaches have been taken.

again many thanks for taking the time to assist with my query, it's
much appreciated

PD

On 17/01/2008, Nhon Yeung <Nhon.Yeung () cranegroup com au> wrote:
> Write a script or application to see if a particular website is
> available ie www.yourcompany.com and look for an identifying object, eg
> company_logo.gif
> If the user does not have access to the website you can assume he does
> not have internet access. If the site is reachable then kick off the
> vpn. It's not the best but if your device is locked down enough it
> should do for the majority of users.
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Nick Vaernhoej
> Sent: Friday, 18 January 2008 3:42 AM
> To: security-basics () securityfocus com
> Subject: RE: restricting mobile users internet access
>
> But how are they supposed to pay for internet usage with if they have to
> go through their proxy  to get there? They have to have the internet
> access before they can get to the proxy.
>
> Nick Vaernhoej
> "Quidquid latine dictum sit, altum sonatur."
>
> -----Original Message-----
> From: Chris Barber
> Sent: Wednesday, January 16, 2008 10:12 PM
> Subject: Re: restricting mobile users internet access
>
> If I am reading your message correctly, you are looking for a way to
> have corporate laptops access the internet only to get to the company
> vpn access points.  Once the vpn connection has been made, the users
> can access the internet via a proxy server located on the corporate
> network.  Correct??
>
> Well, I am not sure what you are trying to accomplish here, but here
> are a few ideas.
>
> IE can be locked down so the users can not change the settings, set
> the proxy and a few other settings then lock it down. You still have
> other browsers to worry about, firefox, opera, etc., I guess you might
> be able to prevent those by GPOs or something.
>
> One other option would be to use a product like Websense which has the
> ability to manage your mobile clients, the problem with this is the
> expense.
>
> If you are only worried about accessing the Internet when connected to
> the VPN the simple answer is to disable split tunneling.
>
> Hope this helps,
> Chris.
>
> On 16 Jan 2008 21:52:08 -0000, sarcasmo2005 () gmail com
> <sarcasmo2005 () gmail com> wrote:
> > I've been asked to seek out if it's possible to implement an internet
> policy, which restricts staff using corporate notebooks to accessing the
> internet only via corporate internet proxies.
> > The mobile users have Cisco IPsec and Sonicwall SSL VPN clients
> installed on the notebooks. While it's straighforward to enforce an VPN
> (or active directory) policy to enforce mobile users to use the
> corporate proxies, the problem I'm facing is   when a member of staff is
> in an airport (or is using a hotel internet connection) they need to be
> able to get to the inital account setup pages (i.e where the internet
> provider asks you to login or pay for time use). This makes the internet
> restriction policy tricky. The mobile users in question can often travel
> to any region in the world.
> > I guess you could use a product such as 'i-pass' but from what I can
> see with i-pass you still have to be able to hit the ISPs account setup
> page, or you could have a hotel that doesn't support i-pass.
> > If staff can disable the proxy and go straight to the internet, then
> it's gone against work to enforce corporate proxy use.
> > I would be very grateful if anyone has had this issue before and could
> share how they approached it. I'm sure I'm not the only person that's
> had this question posed to them before ??
> > thanks in advance
> >
> > PD
>
> This electronic transmission is intended for the addressee (s) named
> above. It contains information that is privileged, confidential, or
> otherwise protected from use and disclosure. If you are not the intended
> recipient you are hereby notified that any review, disclosure, copy, or
> dissemination of this transmission or the taking of any action in
> reliance on its contents, or other use is strictly prohibited. If you
> have received this transmission in error, please notify the sender that
> this message was received in error and then delete this message.
> Thank you.
>
>
> Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of Crane
Group
>

No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.6/1230 - Release Date: 17/01/2008
4:59 PM
 

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.21.1/1298 - Release Date: 25/02/2008
8:45 PM