Any way to use Zeek to enforce company owned devices?

I badly need any possible way to confirm that company services exposed to the internet are only accessed by devices that we control, but for a couple different reasons, VPN’s are not suitable for some of our needs.

We run all services in house and typically use pfsense for firewalls and have zeek available as an add on. But here is a description of some of the services that we need to secure better. Webmail and exchange activesync protocol access being accessed from a variety of windows, linux, android and apple devices. The SMTP server needs to be accessible to the internet with no restrictions, but webmail and the activesync protocol I would like to lock down to only devices that we control.

I have two different possible ways that I would like to implement this and help us. The first one is my preference if possible.

  1. In some way, load something on company owned devices that the pfsense is able to detect to confirm as a company owned device before allowing any further access. This check should be done before allowing actual connection and user authentication to the target services. Devices that don’t pass this check are not allowed to proceed to the target service.

  2. If no good way to do that, then the fallback, next best case is to fingerprint OS and applications used to access the service and to block any OS version or application or the apps version that is not set as current expected. This also has benefit that if we expect security updates to happen that they are actually being done and everyone is not upgrading before we give the OK and actually upgrading when we push updates.

My preference is that these checks are done transparently with no authentication needed.

Is this possible with Zeek? If this can be done, then I have a long trek and quite a lot of reading and training to do before I can actually begin to craft this.

I don’t see any easy (or possibly even difficult) way to use Zeek here.

Option 1 is NAC. That is generally a commercial offering that relies on endpoint software.

Option 2 requires keeping data on what is considered up-to-date and authorized software. That’s a lot of work for whomever implements it.

Zeek is primarily a network situational awareness tool. You can gather evidence from the network but taking action requires more work. People have done that (like blackholing devices, etc.) but it sounds like NAC is more of what you need.