limit SSLVPN to approved computers

It would be nice of SSLVPN client functionality could somehow be limited to known/approved/company computers. One problem with the current SSLVPN system is that the software can be installed on nearly any computer, including personal systems that could be infected with any type of unknown malware. Then, by way of the SSLVPN an approved user could put that infected computer on the corporate network with nearly no restrictions (by default).

In my opinion, this is a big security problem. Even if the client software download page was disabled on the firewall (which it currently can't), it's not difficult for anyone that can use google to download the software directly from WatchGuard. There should be some behind the scenes mechanism built into the SSLVPN software to only allow previously approved (aka company managed) systems to connect by SSLVPN even with the right user credentials. Essentially, 2 factor authentication for SSLVPN - 1st the computer, then 2nd the user.

Comments

  • So the SSLVPN software isn't specific to your firewall or company. You are using the same software that we are (and every WG SSLVPN user out there is). Limiting the software isn't feasible.

  • A better mitigation strategy would be to require MFA for user authentication and setup ACL's for the VPN network traffic.

  • I'm not sure how ACL's could be used to prevent a legitimate SSLVPN user from using his personal computer. And what I'm suggesting is MFA with the approved computer being one of those factors.

  • ACL's won't stop an authorized user from using their personal computer. Besides Policy, i'm not aware of any current technical means of preventing that. Maybe 802.1x requiring Computer and User authentication over the vpn?

  • Note that one can use the OpenVPN client too, although one does need the SSLVPN config info, which one can easily download from the firewall

  • I agree, there is no current technical means of preventing this. That's why I've posted this in the Product Enhancement forum - as an enhancement suggestion. ;)

  • Another simpler solution that WG could implement: Require Client side Certificate (where the CA cert needs to be loaded on the Firebox).

Sign In to comment.