|
|
On 1/4/06, John A. Sullivan III <jsullivan@xxxxxxxxxxxxxxxxxxx> wrote: > On Wed, 2006-01-04 at 17:38 +1300, Jason Haar wrote: > > Jon Bendtsen wrote: > > > > > > No, i dont think you can do that, but using the management interface you > > > can disconnect a client. And since you already do a firewall, i would > > > simply > > > just install a firewall that only enables you to scan the client. Then > > > decide if > > > the client is safe or not, and either disconnect the client or lift > > > the firewall such > > > that the client from the inside of the tunnel has what ever access you > > > want it > > > to. > > Should work fine. This sort of action is the basis of Network Admission > > Control. > > > > 1. Accept connection from client - but block their access to everything > > but the Access Server (OpenVPN in this case) > > 2. Scan new client to check its "health". You might require all remote > > clients allow you administrative control (or root). Your network - your > > rules. You > > could connect and dump current routing tables (Windows or Unix) to > > check for gatewaying/etc. > > 3. If "healthy", all client access to whatever internal network > > components you wish. If not, drop connection or redirect to "quarantine > > network" where > > remediation can occur (or it could be to simply place a transparent > > proxy rule to redirect all their Web traffic to a server you control > > telling them why > > they have been blocked). > > 4. Profit!!! ;-) > > > May I ask, what kind of tools are being used to scan these systems? I > can certainly think of NMAP, maybe Nessus although I'm a little hesitant > there. What else? Are there any good how-to documents on the subject? > Thanks - John Nmap would be good for checking for open ports, assuming that nothing is blocking the probes... or even dropping your endpoint as a potential threat... Which brings me to a warning of not getting caught up in Security Theatre (http://en.wikipedia.org/wiki/Security_theatre). Rootkits are designed to evade detection, iptables, and even honeypost technology can provide deceiving information. In other words querying a computer for information is equivalent to asking a person if they are a criminal. The answer you receive may or may not be accurate. -- Leonard Isham, CISSP Ostendo non ostento. ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-01/msg00072.html on line 233 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-01/msg00072.html on line 233 |