Security Basics mailing list archives
RE: restricting mobile users internet access
From: "Scott" <whip () supportmenot com>
Date: Tue, 26 Feb 2008 22:46:51 +1100
My apologies for the late response. You said you had your proxy setup as a transparent proxy, therefore there is no need to specify the proxy in the users browser. Connecting should be able to go like this. 1. Connect to hotel DUC, WiFi, Ethernet, etc... 2. Open IE to view ISP access page (will work, as VPN is not up, and no proxy specified in IE). 3. Connect to VPN 4. Browse net using your transparent proxy. The above seems a little simple for the amount of detail you have put into your emails, so what have I missed? I used to look after a client who used iPass extensively. It is a separate application which is used to make the connection - not from within IE. Once the connection is up and running from this app, the VPN can then be brought up without using IE. Cheers, Scott Need relief from IT support stress? http://supportmenot.com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of PaulD Sent: Friday, 18 January 2008 9:11 PM To: security-basics () securityfocus com Subject: Re: restricting mobile users internet access Thanks everyone for the feedback.. The IT policy is not simply limited to enforcing restrictions at the client end. The systems don't have CD-ROM's and the connecting ports (USB, Serial, Parallel, etc) are disabled at a BIOS level, and are secured. If staff are that determined to get around all these mechanisms, then that's a different issue. The end-user client anti-virus/anti-malware/etc is all fine on the corporate notebook images. Esentially the issue here is being able to restrict staff (using out coporate notebook image) into using our net proxies when on the road. We can restrict the browser controls to prevent staff changing the proxy settings. Transparent proxies are in place, with domain policies in place to setup .PAC files for the autoproxy config. all of this is straightforward.. But if we lock the proxy settings down this leads to a problem if, for example, you're in a hotel / WiFi zone, where you must be able to access the ISPs site to activate the your internet access account. So by blocking all outbound traffic, except to your proxy, then you can't get the internet account established.
From what I can see the i-pass product will pre-authorise your
internet access from the hotel, wifi point (or whereever)..taking control of the service cost charge (which you get billed from ipass and not the local ISP). But this is only if they are associated with the internet provider, from what I can see.. and this would solve my problem, as I could lock out the internet acess only allowing ipass to talk to the 'non-proxied' internet directly, but there are many places that don't support ipass. So that put's a spanner in the works. Now I'm sure I'm not the only person in the world that has this type of question posed to them, there must be other large organisations out there that have had a similar question posed to their IT department? I would be really intested to know what approaches have been taken. again many thanks for taking the time to assist with my query, it's much appreciated PD On 17/01/2008, Nhon Yeung <Nhon.Yeung () cranegroup com au> wrote:
Write a script or application to see if a particular website is available ie www.yourcompany.com and look for an identifying object, eg company_logo.gif If the user does not have access to the website you can assume he does not have internet access. If the site is reachable then kick off the vpn. It's not the best but if your device is locked down enough it should do for the majority of users. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Vaernhoej Sent: Friday, 18 January 2008 3:42 AM To: security-basics () securityfocus com Subject: RE: restricting mobile users internet access But how are they supposed to pay for internet usage with if they have to go through their proxy to get there? They have to have the internet access before they can get to the proxy. Nick Vaernhoej "Quidquid latine dictum sit, altum sonatur." -----Original Message----- From: Chris Barber Sent: Wednesday, January 16, 2008 10:12 PM Subject: Re: restricting mobile users internet access If I am reading your message correctly, you are looking for a way to have corporate laptops access the internet only to get to the company vpn access points. Once the vpn connection has been made, the users can access the internet via a proxy server located on the corporate network. Correct?? Well, I am not sure what you are trying to accomplish here, but here are a few ideas. IE can be locked down so the users can not change the settings, set the proxy and a few other settings then lock it down. You still have other browsers to worry about, firefox, opera, etc., I guess you might be able to prevent those by GPOs or something. One other option would be to use a product like Websense which has the ability to manage your mobile clients, the problem with this is the expense. If you are only worried about accessing the Internet when connected to the VPN the simple answer is to disable split tunneling. Hope this helps, Chris. On 16 Jan 2008 21:52:08 -0000, sarcasmo2005 () gmail com <sarcasmo2005 () gmail com> wrote:I've been asked to seek out if it's possible to implement an internetpolicy, which restricts staff using corporate notebooks to accessing the internet only via corporate internet proxies.The mobile users have Cisco IPsec and Sonicwall SSL VPN clientsinstalled on the notebooks. While it's straighforward to enforce an VPN (or active directory) policy to enforce mobile users to use the corporate proxies, the problem I'm facing is when a member of staff is in an airport (or is using a hotel internet connection) they need to be able to get to the inital account setup pages (i.e where the internet provider asks you to login or pay for time use). This makes the internet restriction policy tricky. The mobile users in question can often travel to any region in the world.I guess you could use a product such as 'i-pass' but from what I cansee with i-pass you still have to be able to hit the ISPs account setup page, or you could have a hotel that doesn't support i-pass.If staff can disable the proxy and go straight to the internet, thenit's gone against work to enforce corporate proxy use.I would be very grateful if anyone has had this issue before and couldshare how they approached it. I'm sure I'm not the only person that's had this question posed to them before ??thanks in advance PDThis electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please notify the sender that this message was received in error and then delete this message. Thank you. Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of Crane Group
No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.19.6/1230 - Release Date: 17/01/2008 4:59 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.21.1/1298 - Release Date: 25/02/2008 8:45 PM
Current thread:
- RE: restricting mobile users internet access Scott (Feb 26)