DC
asked on
Is it possible to limit Cisco Anyconnect connections to individual computers
if a users has a VPN connection on my ASA device then potentially he can use those credentials to connect on any computer. Whilst i can restrict the connection to certain IP addresses and ranges, can I restrict the connection to an individual computer NAT'd behind that public IP address or range.
The risk comes in that i may not know the patch or AV state of a computer that connects to my internal network.
The risk comes in that i may not know the patch or AV state of a computer that connects to my internal network.
ASKER
Scenario:
A user is authorized to have a VPN connection and are issued a laptop with Anyconnect installed. They go home for the weekend but dont take the laptop. They need to connect into work and download Anyconnect to their home computer and log into the network. Their home computer infected with malware, which then transits to my internal network. How do I restrict this situation where a vulnerable computer can connect through a legitimate VPN designed for use with the laptop only.
A user is authorized to have a VPN connection and are issued a laptop with Anyconnect installed. They go home for the weekend but dont take the laptop. They need to connect into work and download Anyconnect to their home computer and log into the network. Their home computer infected with malware, which then transits to my internal network. How do I restrict this situation where a vulnerable computer can connect through a legitimate VPN designed for use with the laptop only.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nice, sounds like the answer. Thank you.
NAT allows many devices to use a single IP address, so there are several ways you can attempt this.
And none of these methods are likely implemented by Cisco Anyconnect (VPN) software.
1) You can use simple session cookies.
https://httpd.apache.org/d
2) You can use Zombie Cookies, which are one step past normal session cookies.
https://en.wikipedia.org/w
3) Best + most complex to implement approach is using Browser Fingerprinting, which separates connections over a single IP, based on hardware making each connection.
https://github.com/Valve/f
And this option is complex to implement.
All this said, the real question is why you're trying to block certain devices NAT'ted through some other IP.
Describe exactly what type of behavior you're trying to block + someone may provide a creative solution.