Endpoint Protection

Hello, I am looking for tips/ideas to a problem that I am running into. I need to define a firewall rule set that will allow a client to connect to a public hotspot, authenticate to the hotspot via whatever portal application they use but disallow the user to access anything other than the authentication portal and establish a VPN connection once they are authenticated to the hotspot. Here is my current configuration I have defined:

Location1 : Trusted Network
Desc: On the trusted LAN allows access to everything.

Location2: Untrusted Network
Desc: Only allows outbound access to private IP ranges and allows VPN client to communicate outbound. Blocks all incoming.

Location3: VPN Connection
Desc: Split-tunneling is disabled, allows all traffic to route through the VPN tunnel.

These locations/rule sets work perfectly when there is no page redirect requiring authentication. But in testing it a local hotel I am able to connect to the wireless network but cannot establish a VPN connection due to the requirement of inputting their code at the hotels authentication page. When I first pull up your browser it tries to establish an HTTP session to openDNS.com which is blocked. Ofcourse, not all hotspots will have the same architecture in place for authentication so just allowing HTTP to openDNS will not work across all hotspots.

Has anyone ran into this same problem and found a solution? I was considering creating a 4th policy but I am not so sure that will work properly either.  Thanks!

It probably depends on the exact hotspot.  Some may use local IPs, which you could potentially exclude and just give users the instructions to try a local IP to configure.  Others might pretend to be any and all IPs and/or DNS records until the user authenticates--those will be trickier.  I can't really come up with a solution using SEP--hopefully somebody else here has some tricks up their sleve.

I attempted to create a 4th policy this morning but as I expected it did not work as planned. The logic behind the 4th location was:

Location4: HotSpot Authentication
If client is not using Cisco VPN client
and client does not have "internal DNS server1" or "internal DNS server2"
and client DNS query "our .gov site url" does not equal "our .gov sites public ip"

I was hoping that all DNS queries would be redirected before authentication and the lookup would either fail or return the redirected IP. Unfortunately though when I went and tested this at the hotel I was able to resolve DNS without authenticating to the portal, so this theory is out the window. Besides the ability to resolve DNS before authenticating to a portal will be different per hotspot.

-Brandon Louder

Yes, so many hotspots allow DNS and ICMP through without authentication that there are actually tools to tunnel a connection through ICMP and DNS!  They aren't super fast, but its interesting nonetheless.