We've largely solved our trust issues by deploying VMware View--users prefer it since they get access to their licensed software, we prefer it because they're using an isolated environment and not connecting our file servers to their unmanaged home equipment. That doesn't solve the issue of user equipment connected to our networks but it vastly reduces the threat of users away from the office.
----
Jack Kramer
Manager of Information Technology
Communications and Brand Strategy
Michigan State University
w: 517-884-1231 / c: 248-635-4955

On Feb 19, 2013, at 10:48 AM, Shaun Leininger <[log in to unmask]> wrote:

CMU (Central Michigan) uses such a product: http://www.bradfordnetworks.com/network_sentry

When registering on the CMU network, the Bradford agent runs checks for latest service packs, specific Windows updates that are of concern, up to date antivirus definitions, and so on. To exit network quarantine, the device must pass all tests.  

Shaun Leininger 
Information Technology Professional
Department of Anthropology
517-884-0388
From: Steve Bogdanski [mailto:bogdansk@CVM.MSU.EDU] 
Sent: Tuesday, February 19, 2013 9:59 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] UPnP Router Vulnerability

 

It seems that the only technical solution that could be implemented by campus would be some sort of policy server (like NPS in Windows Server) that would check the connecting system against certain requirements as part of the SSL VPN connection.  However that would be rather expensive I'd assume and not something work the cost at this time.
 
-Steve Bogdanski


>>> "Isaac, Jeremy" <[log in to unmask]> 2/19/2013 9:49 AM >>>
Most of these are very good points.  The only problem is trying to get users that have work to do from home accepting the extra restrictions imposed on them.  Right now, an SSL VPN works well for those that need it and it doesn't add any headache on either end.  Perhaps we could go a different route (I think I saw a hardware solution out there that replaces the home user's router), but this is where we are.  I probably should have worded the original post a little differently, anyway.  I'm really just trying to get this information out there, since I haven't seen a blurb about this on MSUNAG.  I'm open to what other people are doing to either inform users of this problem or other mitigating steps.

-----Original Message-----
From: Dennis Boone [mailto:[log in to unmask]] 
Sent: Monday, February 18, 2013 5:17 PM
To: [log in to unmask]
Subject: Re: [MSUNAG] UPnP Router Vulnerability

> While an SSL VPN connection initiated by a PC does not make the campus
> network visible to other machines in the case where the machine isn't
> otherwise compromised, it's only a matter of time before some user's
> machine is infected and allows some unknown third party to see into a
> network they wouldn't otherwise have access to.

You weren't trusting those machines staff and students have at home,
were you?

You weren't trusting those home routers to be secure in the first place,
were you?

You weren't trusting stuff more because it was on the campus network,
were you?

You weren't assuming there are no consumer-grade routers on the campus
network, were you?

You weren't trusting machines in the VPN address space more than
anything else coming from off campus, were you?

If your trust model is sane, a another home router vulnerability will
make roughly zero difference to you.  If your trust model isn't sane,
fixing a home router vulnerability will make roughly zero difference to
you.

De