NetExtender on SMA 500v - group/client routes can be manually extended by users?
Hi everybody,
we got a test with an SMA 500v on our site. In the network routes I opened up the routes to all necessary subnets with all machines which would be necessary for all teams.
Now we wanted to restric the access to specific servers for specific teams (e.g. support / back office / development). I tried to configure this by using the client and group routes and this works so far.
Anyway, it's possible on the client to manually add a route by using the "route add" command, thus it would be possible to override the setting and allow myself access to systems to which I shouldn't have access using VPN.
Example: My user account should not have access to a server with the IP 10.10.10.10 - the route is properly configured for this in my group. Anyway, I can add access to all machines in the 10.10.10.0 subnet by running this command as an admin on my Windows machine: "route add 10.10.10.0 mask 255.255.255.0 0.0.0.0 IF <netextender interface card>".
Is it possible to prevent this behavior?
Thanks a lot for your help on this...
Best Answer
-
preston All-Knowing Sage ✭✭✭✭
Hi @tabbit, you can set up policies per user domain / group etc to only allow access to certain IP addresses or ranges, so even if they overide the windows routing table the access is denied.
just to be clear when setting up polcies you will not find IP Ranges as an option (not sure why) so you need to deny the whole subnet and allow the IP addresses which you want them to get to.
1
Answers