Cons of VPN hairpinning?

Unanswered Question
Mar 11th, 2009
User Badges:

I currently have an ASA providing VPN access into our network. We want to enable client to client communication that looks like it will require that we set up hairpinning via the "same-security-traffic permit intra-interface" command. My boss would like to know what the cons would be of putting this command on the VPN concentrator and allowing the hairpinning. I have done a lot of searching and haven't found any cons but since the default behavior of firewalls is not to allow traffic to go back out the interface that it originally came in on it seems like there should be a reason why it wasn't allowed.


Does anyone have any ideas on what the cons would be of allowing hairpinning?


Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

The only one I can think of is, if a machine that has been compromised while connected to the VPN, apart from the obvious of putting your internal network at risk. The machine can be used as a jumping off point to Hack/Spam/DOS out to the internet with a source IP of your firewall - effectlivly black listing your IP range. This does hamper doing buisness.


Other than that - can't think of anything else.


HTH>

Actions

This Discussion