Re: [Openvpn-users] OpenVPN client security checks

[Jason Haar <Jason.Haar@xxxxxxxxxxxxx>]

Jon Bendtsen wrote:
>
> No, i dont think you can do that, but using the management interface you
> can disconnect a client. And since you already do a firewall, i would
> simply
> just install a firewall that only enables you to scan the client. Then
> decide if
> the client is safe or not, and either disconnect the client or lift
> the firewall such
> that the client from the inside of the tunnel has what ever access you
> want it
> to.
Should work fine. This sort of action is the basis of Network Admission
Control.

1. Accept connection from client - but block their access to everything
but the Access Server (OpenVPN in this case)
2. Scan new client to check its "health". You might require all remote
clients allow you administrative control (or root). Your network - your
rules. You
    could connect and dump current routing tables (Windows or Unix) to
check for gatewaying/etc.
3. If "healthy", all client access to whatever internal network
components you wish. If not, drop connection or redirect to "quarantine
network" where   
    remediation can occur (or it could be to simply place a transparent
proxy rule to redirect all their Web traffic to a server you control
telling them why
    they have been blocked).
4. Profit!!! ;-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users