So we’re looking at rolling out Global Protect in as an always-on VPN to everyone to route all traffic through the company. (Not my call).
I just ran through this scenario and wanted to get some feedback or advice on how to mitigate this threat. without resorting to turning off Local detection.
We use the internal detection feature of the global protect portal as otherwise, it caused all kinds of issues trying to connect to things like printers and conference room equipment, etc. while on site.When I used my PiHole I could determine the DNS request that the client was using to do its internal detection internalserver.domain.com. so I then made my own DNS record to reflect that internal IP.And Boom Global Protect now thinks I’m at work. and Global Protect is bypassed. and my traffic is no longer all routed through work.
Same thing for enforcing VPN connection if you edit the registry you can disable it. It’s not perfect but I’m betting 99.99% of your end users couldn’t figure it out lol
With network segmentation and isolation internally, users should not be able to reach things like printers without their traffic routing through the internal gateway correctly. Or take it one step farther, turn your internal users network into an untrusted network and require all users to connect to an external gateway to have any data access.
I’ll have to look into that. I’m crossing my fingers it’s not a licensed feature as I’m not sure how people are going to feel when I tell them the $$ to resolve the workaround.
If GP clients are in a different subnet than the “printers and conference room equipment”, reaching them shouldn’t be an issue with the tunnel established
True, but we’re talking about high school students who have nothing better to do than to ‘hack’ the system and then distribute that knowledge, it’s a never-ending game of cat and mouse. The joys of IT in Education.
Check out advanced internal host detection. It has to be able to verify the internal gateways certificate to be recognized as internal. Therefore just spoofing the DNS won’t work anymore. New feature in GP 6.1.