Re: Travelling laptops over VPN

From: Jerry (jerry.giacinto_at_ketteng.com.nospam.com)
Date: 11/30/04 

Date: Tue, 30 Nov 2004 11:28:34 -0700

Phillip,

  Well, you brought up the exact situation I'm faced with: we are using
split-tunneling. I've been told by Cisco that without split-tunneling, a
client cannot browse the internet while connected to the VPN. This doesn't
seem correct to me, so I may have to ask another tech at Cisco.

  I use the Cisco VPN client to connect to the VPN, not a Windows-defined
VPN Dialup connection. Any split-tunneling is controlled at the Cisco
firewall. Certainly, I can turn off the split-tunneling, but I don't want
to do it at the cost of losing internet connection while connected to the
VPN.

  We do have a robust, multi-layered AV defense, so I'm not as worried about
that. But you're correct that I'm not sure how much of a threat I'm faced
with if I don't have a properly established firewall. Do you have other
suggestions for testing the effectiveness of a firewall, or do you think
that what I'm doing with Nmap might be sufficient?

Thanks for your time,
  Jerry

"Phillip Windell" <@.> wrote in message
news:eq7w1Fw1EHA.1564@TK2MSFTNGP09.phx.gbl...
> "Jerry" <jerry.giacinto@ketteng.com.nospam.com> wrote in message
> news:OSqnr2v1EHA.1300@TK2MSFTNGP14.phx.gbl...
> > to a different network (like at a hotel), the firewall is on. That
> appears
> > to work fine. However, when the user connects to the VPN using the
Cisco
> > VPN client, the firewall shuts off because it sees the domain. Then,
the
> > laptop is not protected while on the VPN.
>
> Yes, it is protected while on the VPN. When on the VPN it is on the LAN,
not
> the Internet. To get to and from the Internet it must go through the LAN,
so
> it is the same as if it was physically on the LAN. The laptop cannot get
> to/from the Internet directly while the VPN is active. So,...you are
worried
> for nothing.
>
> One exception would be if the user is using "split-tunneling" with the
VPN.
> This is done by disabling the "Use Gateway on Remote Network" which is
found
> on the user's machine within the properties of the VPN Dialup Connectiod.
By
> default this is not the case,...this is something you would have had to do
> on purpose.
>
> Another thing to keep in mind is the false sense of security you may be
> feeling from the firewall. Typically the firewall has no effect on
viruses,
> worms, trojans, spyware/adware and those are actually the worst threats
you
> face. The primary defence from those is not the firewall but is the AV
> software and the level of the Security settings in the User's browser. So
> you may be all worried about something that isn't even protecting you from
> what you fear in the first place.
>
> The primary role of the firewall is to prevent other users from connecting
> to running services on your machine,...primarily that would be File &
Print
> Sharing, but there are others.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> > I could configure the firewall to be on all the time, but doesn't that
> > make management difficult? I don't want to setup firewall exceptions
for
> > managing the laptop while it's on the domain, because those same
> exceptions
> > will apply while the laptop is connected to the VPN. I'm not completely
> > sure what the risks are.
> > I've been using Nmap to test the firewall with TCP, UDP, and TCP SYN
> > stealth port scans. But, to be honest, I'm not even sure if that's the
> best
> > way to test. However, I do get scan results that are consistent with
the
> > firewall being on or off.
> > I've entered a cornucopia of frustration, and am looking for pointers,
> > suggestions, or facts backed by people with experience in this type of
> > setup. Any help would be greatly appreciated.
> >
> > Thank you,
> > Jerry
> >
> >
>
>

Relevant Pages

  • Re: More on Remote Desktop
    ... Chances are good, though, that he's already got VPN capabilities on his ... firewall to do it for $100. ... > server at home...or purchase additional/new hardware... ... >> my firewall makes the PPPoE connection to my ADSL ISP. ...
    (microsoft.public.windowsxp.network_web)
  • Re: More on Remote Desktop
    ... You realize the Remote Desktop data stream is encrypted the same as a PPTP VPN link... ... Unless of course the original poster wants to implement an L2TP/IPSec VPN server at home...or ... > firewall to get between your clients and server on your own LAN. ... > setup so that my firewall makes the PPPoE connection to my ADSL ISP. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Random Disconnects - ActiveSync 4.0/4.1/4.2
    ... Once I UNSINSTALLED the VPN client software (made by ... Simply disabling, or not using the client didn't matter. ... connection itself might be disabled, but the VPN client might still be ... The Windows Firewall actually is pretty good about having 'disabled' ...
    (microsoft.public.pocketpc.activesync)
  • Re: VPN not connecting
    ... did you select "enable firewall" so your firewall ... Merv Porter [SBS MVP] ... > The errors I mentioned are when I create the connection manually on my ... When I create a VPN connection ...
    (microsoft.public.windows.server.sbs)
  • RE: Encryption through NAT and State table
    ... whereas a Layer3 'stateful' firewall uses socket pairs ... The problem of running an IPSec VPN in your situation would be the key ... connection to our VPN end-point on the client network and instead will get ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
    (Security-Basics)