How to configure Split tunneling and security?

Answered Question
Mar 11th, 2007

Hi,

I would like to configure VPN user who connected to LAN to access internet.Am i Understand correctly that I need to use split-tunneling and if use, any security concern here?

Thanks in advanced.

I have this problem too.
0 votes
Correct Answer by Patrick Iseli about 9 years 9 months ago

If the VPN Client got compromised then your LAN get compromised too !

Be sure that you run a Virus software and a personel firewall on that VPN clients.

For example: If your client got installed a Trojan Horse with the Internet Explorer or a Virus on that laptop .....

sincerely

Patrick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
cpembleton Mon, 03/12/2007 - 13:08

Yes it is possible to use split-tunneling to allow users to connect over the VPN and use the Internet.

How is your vpn setup? Pix, VPN concentrator, both, or something else?

If the user already has Internet which they do if they are using VPN. Why would you want them to use yours? It is just adding more traffic to your connection. It will have to travel from the VPN to LAN to Internet to LAN to VPN. Kind of a waste.

It's better to only spil-tunnel the LAN networks they need access to and use ther own Internet.

No real security issues. Bigger risk is allowing VPN in the first place.

Thanks,

Chad

acomiskey Mon, 03/12/2007 - 13:17

"No real security issues"

I think most people would disagree with that statement.

Snippet from cisco doc

"Warning: Split tunneling can pose a security risk when configured. Because VPN Clients have unsecured access to the Internet, they can be compromised by an attacker. That attacker might then be able to access the corporate LAN via the IPsec tunnel"

cpembleton Mon, 03/12/2007 - 13:20

If you want to split hairs.

No more then allowing VPN users access to the internal network or allowing any access to the Interenet at all.

you'll be wasting your network resources if you allow your VPN users to use split tunnelling. It wouldn't make sense to connect to your network and use the same network to access the internet. Security issues: the most secure channel is your VPN connection, not the connection going back outside.

Hope this helps.

Julio

Correct Answer
Patrick Iseli Mon, 03/12/2007 - 19:55

If the VPN Client got compromised then your LAN get compromised too !

Be sure that you run a Virus software and a personel firewall on that VPN clients.

For example: If your client got installed a Trojan Horse with the Internet Explorer or a Virus on that laptop .....

sincerely

Patrick

cindylee27 Tue, 03/13/2007 - 04:28

Thanks guys for all your input. The reason using split tunnel is because the company not using proxy for internet access. Using ISP internet/own internet..will try to get user to agree when they wanna use internet is to disconnect the vpn.

Agreed that this is the risk.

Thanks again.

cindylee27 Wed, 03/14/2007 - 18:41

Hi Guys again,

Do you know where i can find in cisco website to support on this saying that split-tunneling not recommended? I saw it somewhere but didnt bookmark it..:(

Thanks again,

I would agree with the comments from Patrick with reference to allowing 'split-tunnelling' for remote vpn clients. Not so long ago, was involved in clearing up a BIG mess with a customer network - one of their remote users laptop was infected with a backdoor Trojan and when the user connected to his company network using the vpn client... guess what happened!!

Anyway, here is the document that you are after:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

Regards -

Jay

Actions

This Discussion