Questions[android](server)

Recently a user unplugged their company PC from the network and used USB tethering with their Android phone to bypass the company network entirely and access the internet. I don't think I need to explain why this is bad. What would be the best way, from a zero-cost (i.e. open source, using scripting and group policy, etc.) and technical standpoint (i.e. HR has already been notified, I don't think that this is a symptom of some sort of deeper underlying corporate culture problem, etc.), to detect and/or prevent something like this from happening again? It would be nice to have a system-wide solution (e.g. by using group policy), but if that is not possible then doing something specific to this person's PC could also be an answer.

A few details: The PC is Windows 7 joined to an Active Directory domain, the user has ordinary user privileges (not administrator), there is no wireless capabilities on the PC, disabling USB ports is not an option

NOTE: Thank you for the great comments. I added some additional details.

I think that there are a lot of reasons why one would want to disallow tethering, but for my particular environment I can think of the following: (1) Anti-virus updates. We have a local anti-virus server that delivers updates to network connected computers. If you are not connected to the network you cannot receive the updates. (2) Software Updates. We have a WSUS server and review each update to approve/disallow. We also deliver updates to other commonly used software programs such as Adobe Reader and Flash via group policy. Computers cannot receive updates if they are not connected to the local network (updating from external update servers is not permitted). (3) Internet filtering. We filter out malicious and, uh, naughty(?) sites. By using a tether you can bypass the filter and access these sites and possibly compromise the security of your computer.

More background information: HR was notified already. The person in question is a high level person so it is a little bit tricky. "Making an example" of this employee although tempting would not be a good idea. Our filtering is not severe, I'm guessing that the person may have been looking at naughty sites although there is no direct evidence (cache was cleared). He says he was just charging his his phone, but the PC was unplugged from the local network. I'm not looking to get this person in trouble, just possibly prevent something similar from happening again.

In our lab, we have static IPs assigned to everything. We have less than 20 devices, some physical and some virtual on ESXi, ranging from servers to android tablets. Everything is wired ethernet. There are 3 VLANs on the switch. Our virtual linux machines work fine because the vSwitch seems to apply the tags, but our physical Linux machines need to have their ifcfg-eth0 interface changed to be ifcfg-eth0.20 in order to participate with the network. Our Android tablet with ethernet dongle cannot create this new ethernet config for vlan tagging the way linux does, due to it not being rooted and there are no tools for wired vlan setups as far as I know. (It is Android 4.0.)

Shouldn't the switch be responsible for tagging the network traffic based on a machine's subnet and the ports it is plugged into? Why do the physical Window's machines seem to handle the VLAN without extra setup, but the Linux physical machines need a new interface config to see traffic? Shouldn't the physical switch be able to do this the same way the vSwitch is doing it for our Virtual machines?

I just want the Android device to consume services from the VMs and Windows machines, but I can't even ping them or the gateway because the VLAN can't be set manually on the device.

When connecting android mobile devices to Exchange ActiveSync some require granting device administrator privileges which permit an exchange administrator to remotely wipe the phone. The warning messages are scaring some mobile users and turning them away from using Exchange ActiveSync altogether.

How can I disable his functionality on Exchange Server 2010? [security breaches are not an issue here]

I have a Ubuntu Lucid Lynx VM which I've been tinkering with. I want to set up a VPN and I am happy to learn how to do it on my own but the vastness of options makes my head spin, so I'm just looking for pointers.

Factors I want considered for my setup

• Each user needs personal authentication (not one password for all)
• I want know what OS the client is using (android / iphone other)
• I want to track how much bandwidth is being used by each individual
• Although security is important, it's mainly for bypassing China's great firewall (reach facebook / twitter) so I'm not trying to protect pentagon files. Security is good, as long as it doesn't involve hours of complicated configurations.
• Prevent the same user from using multiple devices to access vpn at the same time
• Any sugggestions?

So my questions are:

• What protocol should i use to be compatible with Android (say 1.6+) and iPhones?
• What administrative software should I use (free preferably but willing to invest a little)?
• What guides / tutorials can you recommend that are a little bit less confusing than this?

Android:

16 IPSec VPN Tunnels
8 L2TP VPN Tunnels (Dial-in: 4, Dial-out: 4)
8 PPTP VPN Tunnels (Dial-in: 4, Dial-out: 4)

• Embedded IPSec & PPTP client/server
• IKE key management
• DES, 3DES and AES encryption for IPSec
• Embedded powerful 3DES accelerator
• MPPE Encryption for PPTP
• L2TP within IPSec
• L2TP/PPTP/IPSec pass-through

iPhone

• L2TP / IPSec
• MSChapV2 Password
• RSA SecurID
• CRYPTOCard
• PPTP
• MSChapV2 Password
• RSA SecurID
• CRYPTOCard
• Cisco IPSec VPN
• Password
• RSA SecurID
• CRYPTOCard
• Certificate

NOTES

• I'll be sure to add a bounty after the 2 day period, hope this question can help other people who would like to create a similar setup.
• The title of this question is not that great, feel free to edit
• I don't need all answers answered any pointers would help :)

I am trying to configure my Cisco ASA 5510 running software version 8.2 to allow my Droid X to connect via L2TP/IPSec VPN. I have configured the DefaultRAGroup like so:

tunnel-group DefaultRAGroup general-attributes
 address-pool vpn_pool
 default-group-policy droid
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 no authentication chap
 authentication ms-chap-v2

and the associated group policy:

group-policy droid internal
group-policy droid attributes
 wins-server value (ip omitted)
 dns-server value (ip omitted)
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall

Watching the log while I try to connect from my phone, I get to "PHASE 2 COMPLETED" but then nothing else happens, and after a few more seconds, the phone says the connection failed. With full ipsec, isakmp, and l2tp debugs, I can see the IKE negotiation complete successfully and the IPSec SA established, then there are these messages:

IKEQM_Active() Add L2TP classification rules: ip <72.121.92.238> mask <0xFFFFFFFF> port <1701> 
L2TP LOWERLAYER: l2tp_add_classification_rules()...ip <72.121.92.238> mask <255.255.255.255> port <1701>
L2TP LOWERLAYER: l2tp_add_fw_rule(): If 1, peer IP 72.121.92.238, peer port 1701
L2TP LOWERLAYER: np_classify_add_static(PERMIT) vpif_num<1>  np_rule_id <0xd84fa348>
L2TP LOWERLAYER: l2tp_add_punt_rule(): If 1, peer IP 72.121.92.238, peer port 1701
L2TP LOWERLAYER: np_classify_add_static(PUNT) vpif_num<1>  np_rule_id <0xd850ad08>

...and nothing else happens. No L2TP traffic flows, and there are no error messages. Inspecting "show vpn-sessiondb" indicates the ASA believes it has established ISAKMP and IPSec associations, but there are no L2TP/IPSec sessions. Has anyone gotten this working; or, failing that, any ideas for how to further troubleshoot this problem?

Edit: Additional testing has shown that it works with a non-android L2TP client, it works from the Droid X over WiFi, but it does NOT work from the Droid X over Verizon's wireless data network. I have filed a bug in the android tracker here: http://code.google.com/p/android/issues/detail?id=9950