-
April 29th, 2005, 10:30 PM
#1
Junior Member
Policy Enforcement over Web?
I'm looking for some suggestions on how to handle a certain security problem.
Let's say that I have a SSL website, that will allow a user to first authenticate with two-factor authentication before proceeding to use an ActiveX control to securely connect to Terminal Services from across the web.
The problem is, I have no way of verifying that a user's computer has any antivirus or antispyware software on it, nor a way to verify that they do not have a keylogger or anything else on there.
Can any of you guys think of a good way to enforce a policy, such as to require up-to-date antivirus, or perhaps just a mechanism to do a simple trojan scan before allowing them to proceed to the point where they can authenticate and connect?
I've seen agents out there, but I hate to get in the business of installing and managing software on someone's home computer.
Thanks,
Mike
-
April 29th, 2005, 10:38 PM
#2
This is the "new wave" in networking, (or at least, one of them).... Making a central system verify that certain tasks have been completed prior to allowing access. Cisco does one and there are a couple of others. The problem is that it is new and new = $$$$....
Unless you have money coming out of your "thingumy" it probably won't happen easily.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
April 29th, 2005, 11:03 PM
#3
Junior Member
Well, I was at the RSA con in San Fran, and saw a lot of those technologies down there. I am just trying to figure out how to do it without really having them install something, per se. Of course, even an ActiveX control is installed, but it's a little more behind the scenes. Ideally, I want something that upon opening a webpage, will scan (or verify policy), then proceed to allow them to connect to my poor man's SSL VPN.
-
April 29th, 2005, 11:03 PM
#4
Off topic
Unless you have money coming out of your "thingumy" it probably won't happen easily.
Too funny...I actually laughed out loud.
Thanks...I needed that
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
April 29th, 2005, 11:06 PM
#5
Of course, even an ActiveX control is installed, but it's a little more behind the scenes.
So you want to limit this to Internet Explorer only?
I say only allow access in the first place to people you already trust to keep their computer clean.
\"It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.\"
- Charles Darwin
-
April 30th, 2005, 10:07 AM
#6
Senior Member
well, you could implement this yourself, would be slightly easier on XP
but this is like implementing win 32apps when 3.11 was still market share
something along the lines of making a proggy to check the Security Centre, if all is good, then unban that URL from being accessed
-
April 30th, 2005, 10:24 AM
#7
As Tiger mentioned, this isn't going to happen for free. I have one of these solutions in place right now. See www.juniper.net and look at their SSL vpn product. It does host checking based on a policy you write. Mine checks for up to date patches and a virus sig no older than 7 days. Once they pass, the VPN tunnel is established.
Once they are on, I can even enforce the apps they run based on MD5 hashes of the exe. This way, I know they are running version 5.0 of UberLeetSoft as apposed to maybe version 6 they obtained on their own or a version of 5.0 that has been fux0red with. There are many many policy options but these are the ones that I use with great success.
Again, have your checkbook ready.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 2nd, 2005, 07:34 PM
#8
Junior Member
Yeah, I was afraid of that. I was hoping someone might make a little app to do something like this without getting into the really expensive devices, like Juniper offers. Of course, the alternatives to having an SSL VPN for us are going to be expensive, so perhaps there is a way for me to get some $$$$ for this.
-
May 2nd, 2005, 08:24 PM
#9
Check point came and pitched their SNX product to us recently that does something akin to this discussion... Secure Network eXtension, I guess. It's an ActiveX control...you browse to the address, it opens up an SSL session and fires up the ActiveX to secure your system. Not sure it has any policy enforcement, but if it doesn't, I guaruntee they'll sell you the piece that does, or its n development and will be available (read: for sale) soon.
Tiger is right...this stuff is the bleeding edge, which is invariably expensive.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
May 2nd, 2005, 08:37 PM
#10
Junior Member
I'll check it out. It'd be nice if it didn't have to be activex, but I don't think anything in the Java world would do it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|