Re: Travelling laptops over VPN
From: Bill Sanderson (Bill_Sanderson_at_msn.com.plugh.org)
Date: 11/30/04
- Next message: Buck Rogers: "Re: Opening Ports"
- Previous message: Torgeir Bakken \(MVP\): "Re: Right to start/stop a service"
- Maybe in reply to: Sooner Al: "Re: Travelling laptops over VPN"
- Next in thread: Jerry: "Re: Travelling laptops over VPN"
- Reply: Jerry: "Re: Travelling laptops over VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Nov 2004 17:28:15 -0500
Here's one discussion of some of the security issues around this setting,
and also some recommendations which primarily relate to the host end of the
VPN tunnel, unfortunately:
http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html
has a brief discussion of security issues of split tunneling, and notes that
a packet filter restricting traffic over the VPN connection to packets
originating from the remote access clients (i.e. not from the client's
Internet connection)--is a default configuration in Windows Server 2003.
This link (a PDF, unfortunately) discusses, with references to Shinder, the
possibility of a session hijack when split tunneling is used.
http://www.teleworkconsortium.org/Theory_and_Practice/whitepapers/BroadbandSecurityPaperCSC.pdf
So--the two vulnerabilities introduced by split tunneling are 1) the
possibility of routing between the insecure Internet and the secure private
network via the split-tunneling client machine, and 2) the possibility of a
session hijack of the client machine, with consequent disclosure of private
corporate data.
As with other security issues, each admin needs to assess their own risk
tolerance level and make a decision about what policies are appropriate for
their environment.
(and you, and probably most reading this thread, are probably more aware of
these issues than I am--but I thought I'd try to dig out some clear
references to precisely what the risks are. I think I've got the technical
risks clearly laid out, but without much clear information about how to
quantify those risks, I'm afraid.)
"Phillip Windell" <@.> wrote in message
news:u60Kgzx1EHA.3816@TK2MSFTNGP09.phx.gbl...
> "Jerry" <jerry.giacinto@ketteng.com.nospam.com> wrote in message
> news:%238lynpw1EHA.132@tk2msftngp13.phx.gbl...
>> Well, you brought up the exact situation I'm faced with: we are using
>> split-tunneling. I've been told by Cisco that without split-tunneling, a
>> client cannot browse the internet while connected to the VPN. This
> doesn't
>> seem correct to me, so I may have to ask another tech at Cisco.
>
> Don't bother. He is exactly correct. You must use Split Tunneling to be
> able
> to use the VPN and use the Internet independently from each other.
>
>> We do have a robust, multi-layered AV defense, so I'm not as worried
> about
>> that. But you're correct that I'm not sure how much of a threat I'm
>> faced
>> with if I don't have a properly established firewall. Do you have other
>> suggestions for testing the effectiveness of a firewall, or do you think
>> that what I'm doing with Nmap might be sufficient?
>
> AV software and Browser Security set to the "highest" is the best defence.
> As far as personal firewalls,...well I'm so excited about them that I
> don't
> even run one... :-) I follow the measures I already mentioned and I
> don't
> have things running on any directly exposed machine that I don't want
> soemone connecting to. I just simply keep my machines "clean",..I know
> what
> I have running on them,..and why.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
- Next message: Buck Rogers: "Re: Opening Ports"
- Previous message: Torgeir Bakken \(MVP\): "Re: Right to start/stop a service"
- Maybe in reply to: Sooner Al: "Re: Travelling laptops over VPN"
- Next in thread: Jerry: "Re: Travelling laptops over VPN"
- Reply: Jerry: "Re: Travelling laptops over VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
