Re: [fw-wiz] VPN Split-tunneling: Your opinion?



I agree on the fact that the split tunnel does open up an attack surface, but if the VPN software also has an inbuilt firewall with stateful inspection, nothing like it.

If your corporate network as a Network Access Policy set, then as soon as you enter the company network, your machine will be scanned and remediated in a saperate VLAN if found Infected. So, a split tunnel would be risky without some NAC enforcement in the corporatement. As far as routing malecious packets in the corporate network using split tunnel is concerned, stateful inspection should take care of it.

At the firewall, when you setup the VPN policy, you can control if you want to allow broadcasts flowing through the tunnels.

Regards,
Aniket Amdekar


--- On Fri, 6/19/09, Paul Melson <pmelson@xxxxxxxxx> wrote:

From: Paul Melson <pmelson@xxxxxxxxx>
Subject: Re: [fw-wiz] VPN Split-tunneling: Your opinion?
To: "'Firewall Wizards Security Mailing List'" <firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
Date: Friday, June 19, 2009, 7:01 PM

I was wondering what each of your opinions are RE: VPN Split-tunneling. 
Do you consider a split-tunnel setup to be particularly risky to allow
from a security > point of view?  Compared to typical (modern) exploits such
as trojans via email, XSS,
web based attacks, etc - do you think that the risk of a client becoming
misconfigured > and allowing routing into the private network via a split
tunnel is particularly
prevalent?

I think, for client VPN configurations, that split tunnel versus full tunnel
setups are a dead horse.  The original thinking was that you didn't want a
computer to be simultaneously connected to a trusted network and an
untrusted network.  If those requirements are still part of your
architecture, then do full tunnel.  But in terms of actual risk, by having
the client machine run with a host firewall that doesn't allow incoming
connections (which is pretty standard fare for all vendors), you address the
risk of someone bouncing through your clients from an untrusted network.

Are there still attacks against VPN client systems that can get by a host
firewall?  Absolutely.  However, full tunnel does little to nothing to
prevent them.  Most malware we see today does some form of phone-home from
the client for C&C.  If your full tunnel VPN configuration allows connected
clients to access the Internet, that phone-home is still going to work
(though centralized firewall & IPS will be in play).  Even if your full
tunnel setup prevents C&C, malware can still get on the client while it's
disconnected and will gain access to your trusted network when the client
connects.  Having live C&C is not a necessity for theftware to pilfer data
off of file shares or have a worm spread across the VPN tunnel.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: VPN versus Terminal Server for remote workers
    ... call a 'cell phone' we call a 'mobile', ... about Windows VPN client, Windows Mobile VPN client, or a 3rd party VPN ... It is tunnel to the appliance or nothing. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN versus Terminal Server for remote workers
    ... call a 'cell phone' we call a 'mobile', ... Windows VPN client, Windows Mobile VPN client, or a 3rd party VPN client. ... It is tunnel to the appliance or nothing. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2008 - Firewall Appliance?
    ... Cisco ASA 5510 Appliance Content Security Edition Bundle ... 250 IPsec VPN peers, ... But "firewall services" are simply listed as included. ... If you don't need AV or VPN then this is overkill....and I recommend running client AV on a server that can handle monitoring anyways....not using an edge device as the client AV manager...but that's another conversation. ...
    (microsoft.public.windows.server.sbs)
  • Re: Turn-Key Installation Question: SBS 2003 Standard + Hardware VPN
    ... The clients I have found so far that like the SBS setup have been graphic ... Setting up a VPN tunnel is easy under ... A firewall appliance sounds like the ...
    (microsoft.public.windows.server.sbs)
  • Re: remoting not working through vpn
    ... These can act differently depending on where the VPN terminates. ... I have ISA firewall and all my VPN connections terminate on the firewall system. ... The other case might be that you have tunneled the VPN completely through the firewall and let it terminate on the server itself. ... The problem may be in how the client system is presenting its ...
    (microsoft.public.dotnet.framework.remoting)