I am piloting a client based SSL VPN solution for my users. The process should work like this.
- User receives a laptop that is joined to the domain.
- The laptop is physically plugged into the corporate network with the wireless radio disabled. This is to prevent the laptop being plugged into our network and wirelessly connected which is considered bridging networks by the security wonks and is prohibited.
- User logs into the laptop to get their credentials from the domain cached onto the laptop.
- The laptop is removed from the corporate network and the wireless radio is enabled.
- User takes laptop home and uses wireless radio to get onto wireless network, then launches VPN client and connects to our corporate network. Split tunneling is disabled when connected to the VPN concentrator, so that takes care of the bridging issue.
My concern is that a user will leave the wireless network adapter enabled, and will bring the laptop back into the office and plug it in there. At that point, the user would be plugged into the network with the radio enabled, and we would have a security incident.
Any ideas on how to manage this issue?