How to configure Split tunneling and security?

Answered Question
Mar 11th, 2007
User Badges:

Hi,

I would like to configure VPN user who connected to LAN to access internet.Am i Understand correctly that I need to use split-tunneling and if use, any security concern here?


Thanks in advanced.


Correct Answer by Patrick Iseli about 10 years 1 month ago

If the VPN Client got compromised then your LAN get compromised too !


Be sure that you run a Virus software and a personel firewall on that VPN clients.


For example: If your client got installed a Trojan Horse with the Internet Explorer or a Virus on that laptop .....


sincerely

Patrick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
cpembleton Mon, 03/12/2007 - 13:08
User Badges:
  • Silver, 250 points or more

Yes it is possible to use split-tunneling to allow users to connect over the VPN and use the Internet.


How is your vpn setup? Pix, VPN concentrator, both, or something else?


If the user already has Internet which they do if they are using VPN. Why would you want them to use yours? It is just adding more traffic to your connection. It will have to travel from the VPN to LAN to Internet to LAN to VPN. Kind of a waste.


It's better to only spil-tunnel the LAN networks they need access to and use ther own Internet.


No real security issues. Bigger risk is allowing VPN in the first place.


Thanks,

Chad

acomiskey Mon, 03/12/2007 - 13:17
User Badges:
  • Green, 3000 points or more

"No real security issues"


I think most people would disagree with that statement.


Snippet from cisco doc

"Warning: Split tunneling can pose a security risk when configured. Because VPN Clients have unsecured access to the Internet, they can be compromised by an attacker. That attacker might then be able to access the corporate LAN via the IPsec tunnel"

cpembleton Mon, 03/12/2007 - 13:20
User Badges:
  • Silver, 250 points or more

If you want to split hairs.


No more then allowing VPN users access to the internal network or allowing any access to the Interenet at all.


acomiskey Mon, 03/12/2007 - 13:34
User Badges:
  • Green, 3000 points or more

Not splitting hairs, just thought he should be aware.

you'll be wasting your network resources if you allow your VPN users to use split tunnelling. It wouldn't make sense to connect to your network and use the same network to access the internet. Security issues: the most secure channel is your VPN connection, not the connection going back outside.


Hope this helps.


Julio

Correct Answer
Patrick Iseli Mon, 03/12/2007 - 19:55
User Badges:
  • Gold, 750 points or more

If the VPN Client got compromised then your LAN get compromised too !


Be sure that you run a Virus software and a personel firewall on that VPN clients.


For example: If your client got installed a Trojan Horse with the Internet Explorer or a Virus on that laptop .....


sincerely

Patrick

cindylee27 Tue, 03/13/2007 - 04:28
User Badges:

Thanks guys for all your input. The reason using split tunnel is because the company not using proxy for internet access. Using ISP internet/own internet..will try to get user to agree when they wanna use internet is to disconnect the vpn.

Agreed that this is the risk.


Thanks again.


cindylee27 Wed, 03/14/2007 - 18:41
User Badges:

Hi Guys again,

Do you know where i can find in cisco website to support on this saying that split-tunneling not recommended? I saw it somewhere but didnt bookmark it..:(


Thanks again,


I would agree with the comments from Patrick with reference to allowing 'split-tunnelling' for remote vpn clients. Not so long ago, was involved in clearing up a BIG mess with a customer network - one of their remote users laptop was infected with a backdoor Trojan and when the user connected to his company network using the vpn client... guess what happened!!


Anyway, here is the document that you are after:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml


Regards -


Jay


acomiskey Thu, 03/15/2007 - 06:05
User Badges:
  • Green, 3000 points or more

Ya, that's the doc I quoted in my first post.

Actions

This Discussion