Hi,
we are at the moment Designing Location Based Firewall Rules depending on the location of the Employee Asset. Our Aim is to restrict usage of Company Assets in the internet without having a VPN established. We would need to have 3 different Locations.
1st Location would Internal. The Computer is conntected to the coorperate Network and has the Firewall disabled/limited/wide open. Either connected directly or via VPN.
2nd Location is External. This location would be a private WIFI and within this Location the computer is only allowed to connect via VPN. All other Traffic is restriced.
3rd Location is External to be Authenticated. This Location is required to grant employees access to Public HotSpots (e.g. in a Hotel, at the Airport or any other Public Wifi with authentication). This Location should only grant access to the authentication Website or the Hotspot - and in a best case only for a limited timeframe (5-10 min) that the employee has to authenticate and setup the VPN. Bypassing VPN should be limited to a minmal risk.
Within Location Intern, we are checking for Client-IP-Range and our DNS Servers.
Within Location External, we are checking if an internal website isnt resolvable and the Client can ping a public IP (e.g. 8.8.8.8)
Within Location Ext.to be authenticated, we are checking if an internal website isnt resolvable and the client cannot ping a public IP (e.g 8.8.8.8).
We did a lot of research in the internet and on all public papers form Sym. but we didnt find a suitable or best practise solution.
Our expierience is that the location switch isnt working as expected. Sometimes it works, sometimes not. Once connected via VPN it sometimes changes to internal and sometimes not.
Can someone please help us out.
Any help is appreciated!
BR