About Ahmed_Eissa

Global Protect VPN Solution is defined with Pre-login and always-on VPN features.     Workflow: Once machine is booted and before user login, Machine is authenticated based on certificate and identified in logs with (Pre-login) user Pre-login access is restricted to Mac Management solution and AD. Once user is logged in, a new tunnel is initiated and authenticated by same certificate with ability to identitfy username in certificate to be added to user-ip mapping table User group Access rules is created to match only specific user group to access internal resources. Required: MFA integration With Pre-login   My main scope is to add more strong authentication mechanism, as with pre-logon, Step1: machine are authentication and authorized once it boots up baed on First Authentication factor (Client-Certificate) to access AD servers. Step2: adding to that Second factor Authentication Factor Credential logins to be able to open the laptop itself.   In case of Client-Certificate is compromised then attacker can import it to its machine and do step1 then step2 (as device credentials is already know to attacker - already his machine-).    Proposal A: If we applied it with pre-login , I think it won’t be suitable as machine is already authenticated and any traffic is blocked except for specific Destinations as AD. Once users log in , maybe here we can apply Authentication security policy declares for access to internal resource we need MFA. So with My proposal A , attacker can still connected through VPN. maybe he doesn`t have access to internal resources without Valid OTP but he stills can do DOS attack to bring down my service.   So hope it is a good challenge for you to think about 🙂 .... ... View more