Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 10062 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Client - locate and block

RIMAdministrator

Hello all.

Hopefully there is a simple answer to this question.  We are on v9.351-3 and using SSL VPN for remote access into our file servers.  Our "remote access" users have work-issued laptops.  All users are non-local admins, so the IT shop is responsible for installation of the SSL VPN clients.  Somewhere along the way, a user's VPN installer was used to install on their personal home machine (we have no control over the non-domain machine and we became aware of this when Sophos started reporting a virus via "Advanced Threat Protection").

Is it possible, and what would be the process (which logs), to locate this machine in UTM and then block it from being able to VPN in?  I tried finding MAC address with the mentioned IP from "ATP", but unsure if I am looking in the correct logs (thought maybe the firewall logs).  Also created a MAC address definition for this MAC address and then created a new firewall rule to deny/reject for the specific user using MAC filter.  Was not successful.

Unfortunately, it is not an option to remove the user from the "VPN user group", since this person still needs access from their domain laptop.

Tony



This thread was automatically locked due to age.
  • 0
    You should be able to find entries for this users connection in the SSL VPN log. The issue is, the only way to block (using blackhole DNAT) would be by his home IP, which is problematic if it's dynamic. As well, doing so would also block the connection from his work laptop if he took that home. The MAC/firewall solution won't work, as the VPN connection has higher precedence than manual firewall rules. The solution to this is really more administrative than technical. Assuming that you have policies in place forbidding employees from installing company owned software on personal machines (stealing), you need to have a chat with this persons management to give the employee a talking to and reprimand for theft of company assets and to remove the software from personal devices.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    Thank you Scott_Klassen for your quick response. I was afraid that there might not be an elegant "IT" solution to this. I totally agree with your point, and my boss is handling that end of things. Another question though. I notice that a user's "X509 User Cert" has a "Fingerprint" that matches the local machine certificate's "Thumbprint" (c:\program files (x86)\sophos\sophos ssl vpn client\config\username@companyemailaddress\utmhostname.user.crt). I do not like to presume anything, but I am guessing that if I delete the UTM's "X509 User Cert" for that individual, and then recreate, a new diffirent "Fingerprint/Thumbprint" will exist, and this would hopefully break all current VPN client connections for this user. Then I would only need to reinstall on the domain laptop and make sure there is no lingering installer to be "hijacked". Does this sound like a successful plan, or am I again losing IQ points? :)
Unfiltered HTML