Re: [fw-wiz] PIX split tunneling

From: John Adams (jna@retina.net)
Date: 01/29/03


From: John Adams <jna@retina.net>
To: Malte von dem Hagen <DocValde@gmx.de>
Date: Wed Jan 29 02:13:01 2003

On Wed, 29 Jan 2003, Malte von dem Hagen wrote:

> Hi there,
>
> what we want to setup is a VPN from Cisco VPN Client to a Cisco PIX 525
> including split tunneling, in order to split up the outgoing client
> traffic - the packets destinated to the secured network via the vpn
> tunnel, all the others through the default gateway. This should be
> confed at the pix and not at the VPN client in order to prevent user
> manipulation of these things.

Do you -really- want to have split tunnelling enabled? It's a bad idea.

If someone runs the Cisco VPN client and the machine is penetrated from
another user on the Internet, you've now given the cracker direct access
to your network.

Also, split tunneling is configured in the VPN client, not on the Pix
itself. You configure it, and then lock down the configuration so your
users cannot modify the configuration.

--john

-- 
J. Adams					http://www.retina.net/~jna
The secret of knowing where you are, is knowing what time it is. -- Anonmyous