From: Adam Flinton 

Richard B. wrote:
> On Fri, 17 Dec 2004 23:50:16 +0000, Adam Flinton
>  wrote:
>
>
>>Not if you keep it simple.
>>
>>Generally the fun starts once people want "exceptions" .
>>
>>2 lists.
>>
>>Mac addresses of fixed devices & Mac addresses of mobile devices.
>>
>>Assign tcp settings on remote dhcp client accordingly .
>
>
> No exceptions, no prisoners!
>

Most don't know or care & you do this in easy to digest stages.

You can then introduce more "flexibily" as you go along
(dependant upon mobile people's history).

It's then just a question of reloading the tcp/ip settings i.e. add to the
"good list" once the bod has proved who he is & the machine
is not emitting nastiness & then refresh the lease.

>
>>Mostly "exceptions". It depends on what ports are to be
opened & not
>>which are to be shut.
>
>
> I try to keep the ship tight and only open less common ports on an as
> needed basis.
>



Yup. Effectively mobile workers should be in the DMZ until they have shown
their machines to be "clean". One example would be to have a
login followed by an automated virus & spyware check & then if all
OK, reset the terms of the dhcp lease (i.e. change the subnet the machine
resides in).


>
>>If it's spyware & exploits getting in then....treat all non-mobile as
>>being part of a more trusted "area" than the "mobiles".
>
>
> Here I can control via filtering many bad sites, but outside the
> office when he connects via DHCP to the motel's network I begin to
> worry.
>

Then you need a solid vpn & have him use that as the way into the corp
lan no matter where he's connecting from.

I would recomend either openvpn or one of the pptp/l2tp using ipsec. The
latter are easiest to setup using windows.

i.e. then if that's all you set up on his machine, then his inet access etc
can be directed through the same routes & filters as a fixed machine.


>
>>Where mobile includes having another route out to the net (inc modem or
>>wifi or 3G/gprs etc.
>
>
> In the end some responsibility has to be shared by the user, I just
> want to mitigate that to as small a share as possible.  Since we are
> starting off with only a couple of devices initially hopefully I can
> see how to handle the various scenarios, maybe take the tablet on a
> trip or two and check out my efforts to secure it.
>

Start by having just one list, the "fixed" or "known
good" mac list. Give them a different set of ip addrs to all others
(different enough that the mobile machines can not find the machines/hook
into that range by themselves).

Route all others through a gateway to reach the "internal lan address
range".

What you choose to put in place at that gateway is up to you.




Adam

--- BBBS/NT v4.01 Flag-5