Require VPN for Network Connectivity on Mac OSX?

Question

At the moment, all company resources are "protected" behind a Cisco VPN, and our OSX clients are configured to (on-demand) connect to the VPN. As the VPN sets the default route for the OSX client to go through the VPN, it is extremely useful in protecting our employees data when they are on unprotected networks (i.e. coffee shops).

Is there a way to, on OSX, require that the VPN be setup before applications are allowed to use the network? It seems like a rather hard problem, as you sometimes need to use the network to connect to access a public network through a capture web portal before you can establish the VPN.

Any ideas?

Answer 1

Is there a way to, on OSX, require that the VPN be setup before applications are allowed to use the network?
Not that I'm aware of. Network is Network - If you have a network connection that provides a route to a given host the system will use it. Since you need to have a network connection (to the internet) before you can create the virtual network connection (to your VPN) you really can't "stop" the system from using it - at least not effectively.

If your users are accessing sensitive data they should be using the VPN - they should not have access to sensitive data/applications without using it. Your system architecture should prevent that. If you're concerned about a malicious third party spoofing your sensitive application and capturing data/login credentials an additional layer of security is a good idea -- SSL certificates are one of the more common measures employed.

Answer 2

I'm looking at this from a network perspective, rather than an OSX-specific programming problem.

Your network data sources are secured behind the VPN firewall, so you've already forced the issue in that, if the user does not connect to the VPN, their applications simply will not work, or they won't be able to connect to those company resources.

As was already stated, you need an existing network to tunnel through, so you can't force the VPN to come up as the primary network device. But it may simply be a user experience problem - they forget to use the VPN, or attempt to bypass it, and things don't work right. Or, you may have someone who is combining work-related activity with casual browsing, and because the VPN co-ops ALL network traffic, their forays to Facebook or wherever are being caught by your company firewall. This is also a user behavior thing - make it known that "The VPN connects to the company network, and all company network use policies are in effect".

Beyond that, I'm not sure what else you'd need to enforce that would require the use of routing tables or other settings on the client that would bring up the VPN automatically.