Assigning vpn client ip address range

Posted on 2005-03-03
Medium Priority
Last Modified: 2013-11-16
I have a class c internal lan and will be implementing vpn. I would like my vpn clients to securely access my internal resources via vpn and be able to browse internet at the same time. I've read articles that seem to suggest this is not recommended as the vpn client can become a virtual gateway into the corporate network for hackers.

My questions are:
Do I assign an offset ip address range to my vpn clients e.g use class A addresses for vpn clients to prevent users being able to surf and access vpn resources simultaneously
Do I need to assign static vpn IPs or can i get dhcp working for my vpn clients

I'm using checkpoint fwall & vpn
Question by:isltt
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 51

Assisted Solution

ahoffmann earned 750 total points
ID: 13452958
if your client can surf simultaneously depends on the client's vpn software
As you're using checkpoint, I assume that your clients are using checkpoints vpn client too. Then there is a setting that the client is not allowed to route other traffic thatn that through the vpn tunnel.
If you have done this, then you can restrict those (vpn)IPS to go to internet using your checkpoint rules.
LVL 32

Accepted Solution

harbor235 earned 750 total points
ID: 13452977
There are security implications when using split-tunnel mode (internet access via VPN). If you do not
trust the VPN users then I would not allow them internet access. Why allow them to surf the internet on your dime? You cannot control who has access at the remote end,also, VPN access should use authentication to verify user credentials. Checkpoint can use SecureID,Secure remote, LDAP, Radius, etc .... I would use them. It all depends how important your site security is and what you feel comfortable with. Assign a unique address range dynamically for the incoming VPN users.


Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question