S
Sun Jul 16 06:43:29 CDT 2006
Ah, the good old endpoint security. I'd love to have a robust discussion
about that one. I've grown a bit skeptical abouth this, as I believe that
it's posible to implement proper security controls on all network resources
and applications, making the actual device used less relevant and risky.
Also the restrictions that are imposed by the endpoint security technologies
tend to impact usability (mostly by restricting "other" platforms - for
example, Windows Mobile) and don't really prevent rogue hosts in many cases.
Meanwhile, some resources for you. Microsoft calls the set of technologies
Network Access Protection (
http://www.microsoft.com/nap). The first
iteration is the Network Access Quarantine Control in W2K3, and it's going
to become more mainstream technology, as almost all players in the field
signed up as the partners. Check Point is pushing their Integrity suite -
that is poorly integrated with their VPN-1; Integrity Clientless,
implemented as an ActiveX, a part of Connectra SSL VPN suite from Check
Point is okay. You're using VPN from Cisco - they have Network Access
Control products for the same purpose. Call your Cisco rep and they'll dump
a bucketload of powerpoints on you.
What's the catch? You have to do a lot of policy definitions and script
writing. The standard set is to verify that the system's up to date with the
patches and Av signatures are fresh. But if you want to make sure that the
system is a member of the domain, you aren't given much choice. On wireless
networks, using computer authentication (along with proper protection of the
computer credentials), is a sort of standard practice.With VPN, we're not
there yet.
Which brings me to the firs point - should we really care?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
<dcasteel@gmail.com> wrote in message
news:1152965057.273348.327480@p79g2000cwp.googlegroups.com...
>I am sure there is a way to do this, but I have limited resources (the
> most valuable being time).I need to lock out or block non ms domain
> members from my network. This would be from people bringing in their
> home laptops and plugging in and from people connecting to my corporate
> network via VPN.
> I do not want a solution to check thier home computer to make sure it
> is up to par. The non domain members must be blocked (corporate
> policy).
>
> Current logical configuration:
>
> Home user>cisco vpn concentrator>simple IP address pool
> provided>authenticated against win2k radius>
>
> Let me know if you need any further info from me to help with my issue.
>
> Thanks in advance!
>