?
Solved

VPN split tunneling - real risks or not?

Posted on 2005-03-23
14
Medium Priority
?
838 Views
Last Modified: 2013-11-16
We have a Cisco PIX 515, with a remote client VPN set up.

My clients complain that they cannot access the internet when connected to the VPN, however I am being asked not to enable split tunneling as this poses too much of a security risk.  Is this really the case?

Is there any way of either:
1. Telling the PIX how to route requests coming from VPN clients for www adresses
2. Setting up some static routes on the users PC's instead of using split tunneling

Thanks in advance
0
Comment
Question by:s9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
14 Comments
 
LVL 18

Expert Comment

by:JConchie
ID: 13612647
This is more of a DNS issue than anything else.....are you running an internal dns server....if not, set one up as a forwarder to your isp dns.  Then point your clients at your internal DNS.....they will then be ablle to access both your lan resources and the internet.
Add their own isp dns servers as additional dns servers, after your internal...and they will be able to access the internet when not connected to the vpn.
0
 
LVL 9

Accepted Solution

by:
jjoseph_x earned 252 total points
ID: 13613483
Split tunneling isn't necessarily a very big risk (unless you've got heavy duty network security policies).  The danger with split tunneling is that someone one could compromise a client computer (like take control of it) and access the office network.

The PIX isn't able to route requests from the VPN out another interface (like it's outside interface), so you'd have to use a proxy server.  Also the Cisco VPN client will redirect all IP traffic (regardless of routes...  I tried adding static routes once: no dice).

So you either have to use a Proxy server on your LAN for your VPN users or you'll need to enable split tunneling.
0
 
LVL 5

Assisted Solution

by:tmehmet
tmehmet earned 248 total points
ID: 13613579
re split tunneling for end users in general -

Spilt tunneling is not a policy that most corporates allow for remote users on the internet who vpn in,

I have looked into split tunneling and my personal feeling is its pretty bad to do in the situation i mention above. Having an unprotected device on the internet with full access to corporate facilites is not a good thing, neither is it good to allow uncontrolled devices to talk to the pc whilst vpn'd into the office becuase the other machines may well have virus's, trojans etc.

If faced with  someone who works regularly from home then the solution is to off load the firewall/VPN to a dedicated device (say a soho), once that is in place, it shuold be OK to vpn into the office whilst allowing internet access locally.

0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 1

Author Comment

by:s9
ID: 13613782
jjoseph_x - sounds like a good idea using a proxy on the inside.  So I forward all upstream HTTP & HTTPS requests to the PROXY and it then creates teh route out.  I will try it & award points if it works!

Thanks for your time
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 13613827
No problem.
0
 
LVL 18

Expert Comment

by:JConchie
ID: 16145334
War, this should not be deleted....the question was answered...points should go to jjoseph and tmehmet
0
 
LVL 97

Expert Comment

by:war1
ID: 16146509
Asker never came back to report if jjoseph_x suggestion worked for his specific problem.
0
 
LVL 18

Expert Comment

by:JConchie
ID: 16147088
That does not negate the fact that the question was correctly answered......many questioneer walk away after getting a solution...without coming back.  When the question has obviously been answered, the expert(s) should get the points.
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 16148102
I agree with JConchie (and not because I want the points).  I believe that the question was answered correctly (because is you've either got to use a split tunnel or setup a proxy in the senario that he described... there's no way around it).  Of course it's also very possible that it's infeasible for him to use a proxy server for his clients... so the anwer still might not have suited him.

If you decided that the question is unanswered then I think that you really ought to refund S9's points.  However, since I think that it was answered, I think that you should force an accept and split the points among all those who answered.
0
 
LVL 9

Expert Comment

by:jjoseph_x
ID: 16148148
BTW thanks JConchie.
0
 
LVL 5

Expert Comment

by:tmehmet
ID: 16148259
The question asked if split tunneling is an issue, it most certainly  is an issue and his (boss i assume) has told him not to allow it hence he asked for an opinion from experts exchange.

We have answered the question.  

0
 
LVL 97

Expert Comment

by:war1
ID: 16148399
Ok! Moderator, please change recommendation to

Split: jjoseph_x and tmehmet
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question