?
Solved

VPN split tunneling - real risks or not?

Posted on 2005-03-23
14
Medium Priority
?
880 Views
Last Modified: 2013-11-16
We have a Cisco PIX 515, with a remote client VPN set up.

My clients complain that they cannot access the internet when connected to the VPN, however I am being asked not to enable split tunneling as this poses too much of a security risk.  Is this really the case?

Is there any way of either:
1. Telling the PIX how to route requests coming from VPN clients for www adresses
2. Setting up some static routes on the users PC's instead of using split tunneling

Thanks in advance
0
Comment
Question by:s9
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 18

Expert Comment

by:JConchie
ID: 13612647
This is more of a DNS issue than anything else.....are you running an internal dns server....if not, set one up as a forwarder to your isp dns.  Then point your clients at your internal DNS.....they will then be ablle to access both your lan resources and the internet.
Add their own isp dns servers as additional dns servers, after your internal...and they will be able to access the internet when not connected to the vpn.
0
 
LVL 9

Accepted Solution

by:
jjoseph_x earned 252 total points
ID: 13613483
Split tunneling isn't necessarily a very big risk (unless you've got heavy duty network security policies).  The danger with split tunneling is that someone one could compromise a client computer (like take control of it) and access the office network.

The PIX isn't able to route requests from the VPN out another interface (like it's outside interface), so you'd have to use a proxy server.  Also the Cisco VPN client will redirect all IP traffic (regardless of routes...  I tried adding static routes once: no dice).

So you either have to use a Proxy server on your LAN for your VPN users or you'll need to enable split tunneling.
0
 
LVL 5

Assisted Solution

by:tmehmet
tmehmet earned 248 total points
ID: 13613579
re split tunneling for end users in general -

Spilt tunneling is not a policy that most corporates allow for remote users on the internet who vpn in,

I have looked into split tunneling and my personal feeling is its pretty bad to do in the situation i mention above. Having an unprotected device on the internet with full access to corporate facilites is not a good thing, neither is it good to allow uncontrolled devices to talk to the pc whilst vpn'd into the office becuase the other machines may well have virus's, trojans etc.

If faced with  someone who works regularly from home then the solution is to off load the firewall/VPN to a dedicated device (say a soho), once that is in place, it shuold be OK to vpn into the office whilst allowing internet access locally.

0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 1

Author Comment

by:s9
ID: 13613782
jjoseph_x - sounds like a good idea using a proxy on the inside.  So I forward all upstream HTTP & HTTPS requests to the PROXY and it then creates teh route out.  I will try it & award points if it works!

Thanks for your time
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 13613827
No problem.
0
 
LVL 18

Expert Comment

by:JConchie
ID: 16145334
War, this should not be deleted....the question was answered...points should go to jjoseph and tmehmet
0
 
LVL 97

Expert Comment

by:war1
ID: 16146509
Asker never came back to report if jjoseph_x suggestion worked for his specific problem.
0
 
LVL 18

Expert Comment

by:JConchie
ID: 16147088
That does not negate the fact that the question was correctly answered......many questioneer walk away after getting a solution...without coming back.  When the question has obviously been answered, the expert(s) should get the points.
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 16148102
I agree with JConchie (and not because I want the points).  I believe that the question was answered correctly (because is you've either got to use a split tunnel or setup a proxy in the senario that he described... there's no way around it).  Of course it's also very possible that it's infeasible for him to use a proxy server for his clients... so the anwer still might not have suited him.

If you decided that the question is unanswered then I think that you really ought to refund S9's points.  However, since I think that it was answered, I think that you should force an accept and split the points among all those who answered.
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 16148148
BTW thanks JConchie.
0
 
LVL 5

Expert Comment

by:tmehmet
ID: 16148259
The question asked if split tunneling is an issue, it most certainly  is an issue and his (boss i assume) has told him not to allow it hence he asked for an opinion from experts exchange.

We have answered the question.  

0
 
LVL 97

Expert Comment

by:war1
ID: 16148399
Ok! Moderator, please change recommendation to

Split: jjoseph_x and tmehmet
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses
Course of the Month9 days, 9 hours left to enroll

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question