Hi,
I'm doing some research on the Cisco Cloud Web Security offering, also
known as ScanSafe.
Has anyone on the lists explored Cisco's ScanSafe SaaS offering, now called
Cisco Cloud Web Security - as a means of providing protection in the cloud
that would potentially negate the requirement to have a full tunnel (i.e.
allow split tunneling) for teleworkers?
Thanks!
First of all, why are you allowing or disallowing split tunnel networks ?
The only case I see when you want to route all traffic through the gateway
is when you have a big network that changes constantly and you don't want
to update ACLs all day to make sure a teleworker can reach certain
equipment no matter what.
Other than that, when the laptop is not connected to the VPN and the user
can browse whatever site on the internet and from a security standpoint
there is no benefit.
There is always the risk that he/she may get infected with some malware
that your antivirus does not recognize and it spreads through the internet
network when the user VPNs to the corporate network.
Even with a malware cloud service, you still have security gaps and
opportunity windows for attackers to get to you. One thing is that it not
always feasible to have a proxy set up in your browser all the time as for
example it would be impossible to connect to the internet when you are at a
hotel that has a captive portal. And in order to get access you will have
to disable the proxy, log into the captive portal, pay (optionally), accept
the terms and reactive the proxy settings in the browser. And fi you forget
to do this... well, you're on your own and hope for the best and that the
locally installed AV and anti-malware solution is "good enough".
What I would suggest is that you only allow access to some jump hosts
(linux/windows/etc) that are being protected by adequate security measures
such an IPS. This also assumes that the same level of protection exists
between your user network and server network, otherwise it's pretty much
game over once the user is back in the office with full network access.
Regards,
Eugeniu
First of all, why are you allowing or disallowing split tunnel networks ?
There is always the risk that he/she may get infected with some malware
that your antivirus does not recognize and it spreads through the internet
network when the user VPNs to the corporate network.
From what I've seen, many government agencies - particularly those
that work with sensitive data - take a very risk-averse position when dealing
with remote access - if it is allowed at all.
Such networks also tend to be fairly compartmentalized out of necessity. Still the possibility of a breach that originated from a user that was VPN'd in and happened to open "not-infected-srsly.zip" gives IT admins in such environments more than a bit of heartburn.
jms
We currently use CCWS (previously ScanSafe) with the Anyconnect client.
Nice solution. Whether your in the office or remoting from a Starbucks,
the traffic is always proxied. We went with the solution because of a
couple reasons:
1. with multiple egress points on the corporate network, we didn't want to
be down if we lost a proxy server.
2. corporate laptops whether in the office or at Starbucks would still be
proxied. This helps limit our virus and malware infections. and provides
HR reports.
3 split tunneling would be an option because the traffic doesn't have to
come back to your internal proxy.
4. our remote home office bandwidth is very limited, so using the cloud it
provided for better use of that bandwidth.
all and all it's a good solution. I'm not going to tell you that we have
not had any issues, but with any new solution, there will be a couple
bruises along the way.
YMMV
Scott
Hi,
How do you handle captive portals in hotels and other venues where you
first have to login into the portal and then have Internet access ?
This is my biggest woe right now in this regards with any kind of proxy
settings I can push to users.
Thanks,
Eugeniu
Hi Eugeniu,
You could use the inexpensive Mikrotik User Manager
http://wiki.mikrotik.com/wiki/User_Manager/Introduction
http://wiki.mikrotik.com/wiki/Manual:User_Manager
http://wiki.mikrotik.com/wiki/User_Manager/Getting_started
http://www.youtube.com/watch?v=blEGv5i-aO4
Good Luck 
Edy
Helllo Pui,
Thanks for the pointers but I think you misunderstood my question. I know
how to set up a captive portal for WiFi access.
What I wanted to know is how are users logging into captive portals when
the browser has a proxy set and it tries to send all requests to the proxy
server which until they authenticate to the captive portal they cannot
reach ?
Eugeniu