Re: Do you allow your vpn clients to do split tunneling?

[Greg Washburn <gwashburn () MBC EDU>]

We do not allow true split tunneling but we have started allowing local lan
splitting.  This enables the user to continue to print to ip printers and
connect to ip storage devices located on their local lan while still sending
a majority of their traffic across the VPN.
I will say however, I'm sincerely considering a full split tunnel solution.
Of course, the requirements for personal firewall, proper OS and software
patching, and malware defense needs to be implemented first and foremost to
minimize the security concerns of an outside intruder using the vpn client
machine as a hop into our internal network.  I however, feel like the
requirement for those security posture improvements need to be there anyway
to avoid attacks from the client itself and not just an intruder from
another network.
The benefits of split tunneling are nothing to shun for sure.  Reduced load
on the VPN server, a reduction in Internet bandwidth at the VPN server site,
and a likely much faster web experience for the end user comes to mind.
As to the security concerns, I will not say they shouldn't be considered but
even without split tunneling those concerns need to be addressed.  The same
method an intruder would use in a split tunnel situation can be used when
the client is not connected to the VPN and can que up some serious
maliciousness.


Greg Washburn
CISSP, CCNA, MCSE
Sr. Network/System Admin
540.887.7352
540.280.6087
Mary Baldwin College
www.mbc.edu



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Miller,James R
Sent: Monday, May 10, 2010 1:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Do you allow your vpn clients to do split tunneling?

John,

For security reasons, particularly allowing someone to access two different
networks simultaneously, we prohibit split tunneling. Split tunneling would
allow a client to directly connect our inside network to the internet or
another network, bypassing quite a bit of our security.

Jim Miller
CISSP,CCSP
Lead Network Engineer
The University of Akron
(330) 972-7958
millerj () uakron edu



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John L. Isenhour
Sent: Monday, May 10, 2010 9:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Do you allow your vpn clients to do split tunneling?

Hi All,

We set up a citrix vpn service and I became aware that we're allowing split
tunneling.  This is verboten most places I've been, but some of the network
staff have voiced that it might be a preferred way to go.

We don't do traffic surveillance (aside from blocking p2p and external
scans) so I would like to gain an understanding of whats the worst case,
both allowing split tunneling and not.

Seems to me we're safer as an institution with it off.  VPN is for faculty
and staff, btw.

tnx,
-john

--
John Isenhour, Ph.D.
Chief Technology Officer
Information Systems Architect
Kennesaw State University
Kennesaw GA 30144
770-423-6620