Re: [fw-wiz] VPN Split-tunneling: Your opinion?



From a web filtering/outbound access through a proxy/firewall point of
view, with split tunneling, I see clients going out to the Internet
(HTTP/HTTPS, at least) completely unfiltered.

With full tunneling, I see clients connecting back to "corporate" and
going out through the firewall/proxy/web filter, which provides some
sane level of filtering.

From that standpoint, the feeling is that there is some level of
security gained by pushing the traffic through the firewall/proxy/web
filter that is not had by allowing split tunneling.


From the "My client is compromised/misconfigured and now is allowing
routing into the trusted network" standpoint, I don't think that attack
vector is necessarily all that prevalent. It doesn't need to be from an
intruder's view. It seems to be much easier to get people to click on
this link, or open that attachment, or give out a password in exchange
for a candy bar in order to perform an attack.

While I personally am not a fan of split tunneling from a security point
of view, even if the client is misconfigured and allows routing in, that
in itself isn't necessarily *bad.* It depends on why the client is
misconfigured (i.e. was it a dumb user, or malicious bad guy), who is on
the other end of that route, what their intentions are(perhaps no
intentions at all), and whether or not they are smart enough to exploit
a misconfigured PC (i.e. route) to get into your network.

Jeff

On Friday, June 19, 2009 1:05 AM, Amuse said:

I was wondering what each of your opinions are RE: VPN
Split-tunneling.
Do you consider a split-tunnel setup to be particularly risky to allow
from
a security point of view? Compared to typical (modern) exploits such
as
trojans via email, XSS, web based attacks, etc - do you think that the
risk
of a client becoming misconfigured and allowing routing into the
private
network via a split tunnel is particularly prevalent?
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Please help with a serious issue
    ... does a filter statement on an adotable happen on the client machine or the ... >>User 1 selects customer 1. ... >>server db for all the clients. ...
    (borland.public.delphi.database.ado)
  • Re: TDI driver event queueing
    ... filter connections on TDI level. ... Also, I feel that TDI queueing is not very simple task, and it even may not ... S> occurrs) not by the kernel-mode client. ... S> (which is the clients handler). ...
    (microsoft.public.development.device.drivers)
  • Re: 2 plans - 1 a sub set of another
    ... Dave Eade wrote: ... Putiing all client ... What I was hoping was that I could have a plan 'linked' to the main plan ... I don't just want to 'filter' one plan and show the Client, ...
    (microsoft.public.project)
  • Re: ISAPI Authentication
    ... The job of your authentication filter is to accept ... non-Windows credentials from the client and then map them to a Windows ...
    (microsoft.public.inetserver.iis.security)
  • Re: 2 plans - 1 a sub set of another
    ... Dave Eade wrote: ... paste into a new msp which is then passed onto the client. ... What I was hoping was that I could have a plan 'linked' to the main plan ... I don't just want to 'filter' one plan and show the Client, ...
    (microsoft.public.project)