0

How would you enforce user PC to only connect to a given network? Answers need to be OS agnostic.

One weak solution could be to set client-side firewall rules to only allow communications with legit_IP_allowed_network, but this will not prevent user to set a malicious network with a spoofed_IP_allowed_network which is the same as legit_IP_allowed_network.

User PC should only be able to connect to a network if the network has something. But something that cannot be spoofed.

Any hints? Certificates? Proxies? Which one?

Improve this question
3
  • You cannot. But why would you want to do that? Commented Jan 30, 2023 at 16:21
  • The way clients avoid arbitrary untrusted networks is to punch a VPN tunnel through to a trusted VPN server. The VPN will do key exchange with the VPN server to establish an ephemeral session key no eavesdropper can know, then asymmetric cryptography proves the server possesses the private key corresponding to a public key cached on the client. See SSH for how that mutual authentication works. Commented Jan 30, 2023 at 22:40
  • Once established, client can use the VPN while pretty much ignoring hops through untrusted/malicious networks along the way. (It's not quite as good as physical presence on the trusted network, since you're limited by bandwidth and latency and some information is leaked through a timing side-channel) Commented Jan 30, 2023 at 22:42

2 Answers 2

Reset to default
2

User PC automatically connects to a given VPN. All traffic is routed through that. Thus, the "physical" networks to which the PC is connected are only used for the VPN client connection (for which the legit vpn server is trivially validated through certificates, as with any other vpn).

This is not an uncommon setup. You can easily detect that a company is doing something like this when their description mentions that it's not possible to connect to networks using a captive portal (free access is only allowed after interacting with the captive portal, so the VPN is unable to connect until then, but the user can't navigate web pages before the VPN is up).

Improve this answer
0

TL,DR: You cannot.

Usually network controls work the other way around: making sure only certain clients can connect to it. For that you have MACSec, WPA, Kerberos, etc. Those protocols guard the network from unauthorized clients.

On the client side, it's complicated. OS-agnostic is even more difficult. Clients usually can connect to any available network, and the network is responsible for allowing or denying the access. A certificate or a proxy will help the network select the clients, not the other way.

On the hardware side, you could create a custom network card that does not use Ethernet (or a custom Ethernet stack) and build your entire network using this custom network stack. But nothing stops the client from using an USB-Ethernet or USB-Wlan adapter and connecting to something else. Then you can block the USB ports, and that would create more problems than it solves.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.