Security Basics mailing list archives

Re: restricting mobile users internet access

From: "afam mbanefo" <afamm () willaf com>
Date: Thu, 17 Jan 2008 15:40:31 +0000

How do you disable split tunneling on cisco router?.

Afam
------------------

-----Original Message-----
From: "Chris Barber" <cmbarber () gmail com>

Date: Wed, 16 Jan 2008 21:12:11 
To:"sarcasmo2005 () gmail com" <sarcasmo2005 () gmail com>
Cc:security-basics () securityfocus com
Subject: Re: restricting mobile users internet access

If I am reading your message correctly, you are looking for a way to
have corporate laptops access the internet only to get to the company
vpn access points.  Once the vpn connection has been made, the users
can access the internet via a proxy server located on the corporate
network.  Correct??

Well, I am not sure what you are trying to accomplish here, but here
are a few ideas.

IE can be locked down so the users can not change the settings, set
the proxy and a few other settings then lock it down. You still have
other browsers to worry about, firefox, opera, etc., I guess you might
be able to prevent those by GPOs or something.

One other option would be to use a product like Websense which has the
ability to manage your mobile clients, the problem with this is the
expense.

If you are only worried about accessing the Internet when connected to
the VPN the simple answer is to disable split tunneling.

Hope this helps,
Chris.

On 16 Jan 2008 21:52:08 -0000, sarcasmo2005 () gmail com
<sarcasmo2005 () gmail com> wrote:

I've been asked to seek out if it's possible to implement an internet policy, which restricts staff using corporate 
notebooks to accessing the internet only via corporate internet proxies.


The mobile users have Cisco IPsec and Sonicwall SSL VPN clients installed on the notebooks. While it's straighforward 
to enforce an VPN (or active directory) policy to enforce mobile users to use the corporate proxies, the problem I'm 
facing is   when a member of staff is in an airport (or is using a hotel internet connection) they need to be able to 
get to the inital account setup pages (i.e where the internet provider asks you to login or pay for time use). This 
makes the internet restriction policy tricky. The mobile users in question can often travel to any region in the 
world.


I guess you could use a product such as 'i-pass' but from what I can see with i-pass you still have to be able to hit 
the ISPs account setup page, or you could have a hotel that doesn't support i-pass.


If staff can disable the proxy and go straight to the internet, then it's gone against work to enforce corporate 
proxy use.


I would be very grateful if anyone has had this issue before and could share how they approached it. I'm sure I'm not 
the only person that's had this question posed to them before ??


thanks in advance

PD

Current thread:

restricting mobile users internet access sarcasmo2005 (Jan 16)
- Re: restricting mobile users internet access Chad Loder (Jan 16)
  - RE: restricting mobile users internet access Murda Mcloud (Jan 17)
- Re: restricting mobile users internet access Chris Barber (Jan 17)
  - Re: restricting mobile users internet access a42n8k9 dejazzd.com (Jan 17)
  - Re: restricting mobile users internet access afam mbanefo (Jan 17)
  - RE: restricting mobile users internet access Nick Vaernhoej (Jan 17)
    - RE: restricting mobile users internet access Nhon Yeung (Jan 18)
    - Re: restricting mobile users internet access PaulD (Jan 18)
    - Message not available
    - Fwd: restricting mobile users internet access Randy Wyatt (Jan 18)