Re: [fw-wiz] VPN Split-tunneling: Your opinion?



I was wondering what each of your opinions are RE: VPN Split-tunneling.
Do you consider a split-tunnel setup to be particularly risky to allow
from a security > point of view? Compared to typical (modern) exploits such
as trojans via email, XSS,
web based attacks, etc - do you think that the risk of a client becoming
misconfigured > and allowing routing into the private network via a split
tunnel is particularly
prevalent?

I think, for client VPN configurations, that split tunnel versus full tunnel
setups are a dead horse. The original thinking was that you didn't want a
computer to be simultaneously connected to a trusted network and an
untrusted network. If those requirements are still part of your
architecture, then do full tunnel. But in terms of actual risk, by having
the client machine run with a host firewall that doesn't allow incoming
connections (which is pretty standard fare for all vendors), you address the
risk of someone bouncing through your clients from an untrusted network.

Are there still attacks against VPN client systems that can get by a host
firewall? Absolutely. However, full tunnel does little to nothing to
prevent them. Most malware we see today does some form of phone-home from
the client for C&C. If your full tunnel VPN configuration allows connected
clients to access the Internet, that phone-home is still going to work
(though centralized firewall & IPS will be in play). Even if your full
tunnel setup prevents C&C, malware can still get on the client while it's
disconnected and will gain access to your trusted network when the client
connects. Having live C&C is not a necessity for theftware to pilfer data
off of file shares or have a worm spread across the VPN tunnel.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Prt to win via ssh tunnel
    ... These clients allow us to setup an ssh tunnel, ... Is it possible somehow to redirect print request to this port? ... I specify the win client ip. ...
    (comp.unix.aix)
  • Re: DD-WRT VPN
    ... Anyone want to suggest some other solutions for the VPN that wont require ... OpenVPN has to encrypt and decrypt the tunnel at both ends. ... setup a fast computah at each end of the simulation to a LAN ...
    (alt.internet.wireless)
  • Re: VPN versus Terminal Server for remote workers
    ... call a 'cell phone' we call a 'mobile', ... Windows VPN client, Windows Mobile VPN client, or a 3rd party VPN client. ... It is tunnel to the appliance or nothing. ...
    (microsoft.public.windows.server.sbs)
  • Keepalived LVS-TUN problems with return packet
    ... If I attempt to connect to the service from a client, ... VIP, it gets sent to a RIP over the IPIP tunnel, realserver responds ... realserver is ACKing the tunnel packet, ...
    (Debian-User)
  • Re: Tunneling in Ubuntu
    ... The tunnel as such definitely works for UDP or ... But user space multicast routing daemon seems to be configured a bit ... The problem was that I had not copied the keys from server to the client.. ... I tried the openvpn idea. ...
    (Ubuntu)