How to restrict OpenVPN Connect Client to specific device?
Posted: Tue Aug 15, 2017 5:54 am
We have a requirement from the ISO auditors to restrict the OpenVPN client access to a corporate device (i.e. not allowing OpenVPN client access on a personal device).
We have responded that this requirement is not practical because users can install the same client and configuration file to access the server. The auditors replied that other companies met this requirement by using MAC address filtering. We have shared that MAC address can easily be spoofed and it operates only Layer 2 addressing (VPN is operating on Layer 3 addressing).
Does anyone know if there is any viable method on OpenVPN to restrict client to a specific set of device? Or, does OpenVPN has any check on the client to make sure it met certain criteria? For example, on Palo Alto Network's GlobalProtect, it has a feature called Host Information Profile (HIP) that will checks the client to make sure it has all the specific criteria:
- Operating system and patch level
- Host anti-malware version
- Host firewall version
- Disk encryption
- Data backup products
- Customized host conditions
Thanks.
We have responded that this requirement is not practical because users can install the same client and configuration file to access the server. The auditors replied that other companies met this requirement by using MAC address filtering. We have shared that MAC address can easily be spoofed and it operates only Layer 2 addressing (VPN is operating on Layer 3 addressing).
Does anyone know if there is any viable method on OpenVPN to restrict client to a specific set of device? Or, does OpenVPN has any check on the client to make sure it met certain criteria? For example, on Palo Alto Network's GlobalProtect, it has a feature called Host Information Profile (HIP) that will checks the client to make sure it has all the specific criteria:
- Operating system and patch level
- Host anti-malware version
- Host firewall version
- Disk encryption
- Data backup products
- Customized host conditions
Thanks.