I badly need any possible way to confirm that company services exposed to the internet are only accessed by devices that we control, but for a couple different reasons, VPN’s are not suitable for some of our needs.
We run all services in house and typically use pfsense for firewalls and have zeek available as an add on. But here is a description of some of the services that we need to secure better. Webmail and exchange activesync protocol access being accessed from a variety of windows, linux, android and apple devices. The SMTP server needs to be accessible to the internet with no restrictions, but webmail and the activesync protocol I would like to lock down to only devices that we control.
I have two different possible ways that I would like to implement this and help us. The first one is my preference if possible.
-
In some way, load something on company owned devices that the pfsense is able to detect to confirm as a company owned device before allowing any further access. This check should be done before allowing actual connection and user authentication to the target services. Devices that don’t pass this check are not allowed to proceed to the target service.
-
If no good way to do that, then the fallback, next best case is to fingerprint OS and applications used to access the service and to block any OS version or application or the apps version that is not set as current expected. This also has benefit that if we expect security updates to happen that they are actually being done and everyone is not upgrading before we give the OK and actually upgrading when we push updates.
My preference is that these checks are done transparently with no authentication needed.
Is this possible with Zeek? If this can be done, then I have a long trek and quite a lot of reading and training to do before I can actually begin to craft this.