VPN Split-tunneling: Your opinion?
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
VPN Split-tunneling: Your opinion?
by AMuse
::
Rate this Message:
Hi all; If this is offtopic, feel free to smack me over TCP.
I was wondering what each of your opinions are RE: VPN Split-tunneling. Do you consider a split-tunnel setup to be particularly risky to allow from a security point of view? Compared to typical (modern) exploits such as trojans via email, XSS, web based attacks, etc - do you think that the risk of a client becoming misconfigured and allowing routing into the private network via a split tunnel is particularly prevalent? _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
|
Re: VPN Split-tunneling: Your opinion?
by Paul Melson-2
::
Rate this Message:
> I was wondering what each of your opinions are RE: VPN Split-tunneling.
> Do you consider a split-tunnel setup to be particularly risky to allow from a security > point of view? Compared to typical (modern) exploits such as trojans via email, XSS, > web based attacks, etc - do you think that the risk of a client becoming misconfigured > and allowing routing into the private network via a split tunnel is particularly > prevalent? I think, for client VPN configurations, that split tunnel versus full tunnel setups are a dead horse. The original thinking was that you didn't want a computer to be simultaneously connected to a trusted network and an untrusted network. If those requirements are still part of your architecture, then do full tunnel. But in terms of actual risk, by having the client machine run with a host firewall that doesn't allow incoming connections (which is pretty standard fare for all vendors), you address the risk of someone bouncing through your clients from an untrusted network. Are there still attacks against VPN client systems that can get by a host firewall? Absolutely. However, full tunnel does little to nothing to prevent them. Most malware we see today does some form of phone-home from the client for C&C. If your full tunnel VPN configuration allows connected clients to access the Internet, that phone-home is still going to work (though centralized firewall & IPS will be in play). Even if your full tunnel setup prevents C&C, malware can still get on the client while it's disconnected and will gain access to your trusted network when the client connects. Having live C&C is not a necessity for theftware to pilfer data off of file shares or have a worm spread across the VPN tunnel. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
|
Re: VPN Split-tunneling: Your opinion?
by Behm, Jeff
::
Rate this Message:
>From a web filtering/outbound access through a proxy/firewall point of
view, with split tunneling, I see clients going out to the Internet (HTTP/HTTPS, at least) completely unfiltered. With full tunneling, I see clients connecting back to "corporate" and going out through the firewall/proxy/web filter, which provides some sane level of filtering. >From that standpoint, the feeling is that there is some level of security gained by pushing the traffic through the firewall/proxy/web filter that is not had by allowing split tunneling. >From the "My client is compromised/misconfigured and now is allowing routing into the trusted network" standpoint, I don't think that attack vector is necessarily all that prevalent. It doesn't need to be from an intruder's view. It seems to be much easier to get people to click on this link, or open that attachment, or give out a password in exchange for a candy bar in order to perform an attack. While I personally am not a fan of split tunneling from a security point of view, even if the client is misconfigured and allows routing in, that in itself isn't necessarily *bad.* It depends on why the client is misconfigured (i.e. was it a dumb user, or malicious bad guy), who is on the other end of that route, what their intentions are(perhaps no intentions at all), and whether or not they are smart enough to exploit a misconfigured PC (i.e. route) to get into your network. Jeff On Friday, June 19, 2009 1:05 AM, Amuse said: > I was wondering what each of your opinions are RE: VPN Split-tunneling. > Do you consider a split-tunnel setup to be particularly risky to allow from > a security point of view? Compared to typical (modern) exploits such as > trojans via email, XSS, web based attacks, etc - do you think that the risk > of a client becoming misconfigured and allowing routing into the private > network via a split tunnel is particularly prevalent? _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
|
|
| I agree on the fact that the split tunnel does open up an attack surface, but if the VPN software also has an inbuilt firewall with stateful inspection, nothing like it. If your corporate network as a Network Access Policy set, then as soon as you enter the company network, your machine will be scanned and remediated in a saperate VLAN if found Infected. So, a split tunnel would be risky without some NAC enforcement in the corporatement. As far as routing malecious packets in the corporate network using split tunnel is concerned, stateful inspection should take care of it. At the firewall, when you setup the VPN policy, you can control if you want to allow broadcasts flowing through the tunnels. Regards, Aniket Amdekar --- On Fri, 6/19/09, Paul Melson <pmelson@...> wrote:
|
_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
| Free embeddable forum powered by Nabble | Forum Help |
