Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Assigning vpn client ip address range

Posted on 2005-03-03
Medium Priority
Last Modified: 2013-11-16
I have a class c internal lan and will be implementing vpn. I would like my vpn clients to securely access my internal resources via vpn and be able to browse internet at the same time. I've read articles that seem to suggest this is not recommended as the vpn client can become a virtual gateway into the corporate network for hackers.

My questions are:
Do I assign an offset ip address range to my vpn clients e.g use class A addresses for vpn clients to prevent users being able to surf and access vpn resources simultaneously
Do I need to assign static vpn IPs or can i get dhcp working for my vpn clients

I'm using checkpoint fwall & vpn
Question by:isltt
LVL 51

Assisted Solution

ahoffmann earned 750 total points
ID: 13452958
if your client can surf simultaneously depends on the client's vpn software
As you're using checkpoint, I assume that your clients are using checkpoints vpn client too. Then there is a setting that the client is not allowed to route other traffic thatn that through the vpn tunnel.
If you have done this, then you can restrict those (vpn)IPS to go to internet using your checkpoint rules.
LVL 32

Accepted Solution

harbor235 earned 750 total points
ID: 13452977
There are security implications when using split-tunnel mode (internet access via VPN). If you do not
trust the VPN users then I would not allow them internet access. Why allow them to surf the internet on your dime? You cannot control who has access at the remote end,also, VPN access should use authentication to verify user credentials. Checkpoint can use SecureID,Secure remote, LDAP, Radius, etc .... I would use them. It all depends how important your site security is and what you feel comfortable with. Assign a unique address range dynamically for the incoming VPN users.


Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question