cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1191
Views
0
Helpful
10
Replies

How to configure Split tunneling and security?

cindylee27
Level 1
Level 1

Hi,

I would like to configure VPN user who connected to LAN to access internet.Am i Understand correctly that I need to use split-tunneling and if use, any security concern here?

Thanks in advanced.

1 Accepted Solution

Accepted Solutions

If the VPN Client got compromised then your LAN get compromised too !

Be sure that you run a Virus software and a personel firewall on that VPN clients.

For example: If your client got installed a Trojan Horse with the Internet Explorer or a Virus on that laptop .....

sincerely

Patrick

View solution in original post

10 Replies 10

cpembleton
Level 4
Level 4

Yes it is possible to use split-tunneling to allow users to connect over the VPN and use the Internet.

How is your vpn setup? Pix, VPN concentrator, both, or something else?

If the user already has Internet which they do if they are using VPN. Why would you want them to use yours? It is just adding more traffic to your connection. It will have to travel from the VPN to LAN to Internet to LAN to VPN. Kind of a waste.

It's better to only spil-tunnel the LAN networks they need access to and use ther own Internet.

No real security issues. Bigger risk is allowing VPN in the first place.

Thanks,

Chad

"No real security issues"

I think most people would disagree with that statement.

Snippet from cisco doc

"Warning: Split tunneling can pose a security risk when configured. Because VPN Clients have unsecured access to the Internet, they can be compromised by an attacker. That attacker might then be able to access the corporate LAN via the IPsec tunnel"

If you want to split hairs.

No more then allowing VPN users access to the internal network or allowing any access to the Interenet at all.

Not splitting hairs, just thought he should be aware.

flopez
Level 1
Level 1

you'll be wasting your network resources if you allow your VPN users to use split tunnelling. It wouldn't make sense to connect to your network and use the same network to access the internet. Security issues: the most secure channel is your VPN connection, not the connection going back outside.

Hope this helps.

Julio

If the VPN Client got compromised then your LAN get compromised too !

Be sure that you run a Virus software and a personel firewall on that VPN clients.

For example: If your client got installed a Trojan Horse with the Internet Explorer or a Virus on that laptop .....

sincerely

Patrick

Thanks guys for all your input. The reason using split tunnel is because the company not using proxy for internet access. Using ISP internet/own internet..will try to get user to agree when they wanna use internet is to disconnect the vpn.

Agreed that this is the risk.

Thanks again.

Hi Guys again,

Do you know where i can find in cisco website to support on this saying that split-tunneling not recommended? I saw it somewhere but didnt bookmark it..:(

Thanks again,

I would agree with the comments from Patrick with reference to allowing 'split-tunnelling' for remote vpn clients. Not so long ago, was involved in clearing up a BIG mess with a customer network - one of their remote users laptop was infected with a backdoor Trojan and when the user connected to his company network using the vpn client... guess what happened!!

Anyway, here is the document that you are after:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

Regards -

Jay

Ya, that's the doc I quoted in my first post.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: