VPN lockdown by dynamic IP?

["Robert Fenerty" <robert () fenerty com>]

Hi,

I have setup an end to edge VPN to an office, and I'm trying to add an
extra layer of security.  The office has a Cisco PIX 501 running 6.3(3)
and the users have version 3.6.6 of the Cisco VPN client.

I'd like to add an access list that only allows certain IP addresses to
VPN into the office.  This would be trivial if the source IPs were
static.  But the inbound connections will come from laptops that will be
connected to home networks with dynamic IPs.  There are only a handful
of users, all technically savvy.

So here's what I'm thinking.  Get each user to run one of these clients:
http://www.dyndns.org/services/dyndns/clients.html
These free clients update a centralized DNS.  The TTL is low, so changes
to the IP are reflected fairly quickly.  
 
So, (if possible) I'd like to setup an ACL that only allows VPN access
to, say, user1.dyndns.org.  Hopefully, the IP wouldn't change during the
VPN session if the user's DHCP lease expires!  Has anyone implemented a
scheme like this?  Is it a lousy idea?

Another alternative is to lockdown by the address space of the user's
home  ISP, which is less flexible; you can't VPN in if you take your
laptop to Paris.  But at least this alternative would vastly decrease
the attack pool, if you follow me.

Thanks,

Robert


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards