Educause Security Discussion mailing list archives
Re: Do you allow your vpn clients to do split tunneling?
From: "Fletcher, Robert" <Robert_Fletcher () BROWN EDU>
Date: Mon, 10 May 2010 15:48:27 -0400
We do not allow split tunneling. I was not party to the original discussion in setting up our current VPN; however, my understanding is that we didn't want to give a client system the opportunity to act as a bridge between two or more networks. Essentially the client could offer up a backdoor into secure areas of our infrastructure. Bob Fletcher IT Security Engineer CIS Information Security Group Brown University (401) 863-7290 "What gets us into trouble is not what we don't know, it's what we know for sure that just ain't so" - Mark Twain -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Timothy Fairlie Sent: Monday, May 10, 2010 3:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Do you allow your vpn clients to do split tunneling? Like Julian, we don't allow split-tunneling, except for a few system/network admin folks On 5/10/2010 9:49 AM, Julian Y. Koh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 9:22 AM -0400 5/10/10, John L. Isenhour wrote:We set up a citrix vpn service and I became aware that we're allowing split tunneling. This is verboten most places I've been, but some of the network staff have voiced that it might be a preferred way to go.Our traditional VPN service (PPTP, L2TP/IPSec, and Cisco IPSec VPN Client) does not use split tunneling. When we originally rolled out the service, we tried to use split tunneling, but since it was desired that the VPN be used to access things like library licensed materials that were IP restricted, the split tunnel list quickly became unmanageable, so we
turned
off split tunneling and tunneled all traffic. A few years back, we rolled out SSL VPN services with a layer 3 tunneling client available. That service is targeted at sysadmins, vendors/consultants, and users of sensitive systems, so we are usuing
split
tunneling there. -----BEGIN PGP SIGNATURE----- Version: 9.9.1.287 wj8DBQFL6A7LDlQHnMkeAWMRArwMAJ0dz3eG6u72MvlgDJRU6c8kks3rTQCghJmZ fo3+SZ6HBIgkcHrhN2ydFh4= =/McV -----END PGP SIGNATURE-----
-- Timothy J. Fairlie Director, Network and Communication Services Rider University Fairlie () rider edu
Attachment:
smime.p7s
Description:
Current thread:
- Do you allow your vpn clients to do split tunneling? John L. Isenhour (May 10)
- <Possible follow-ups>
- Re: Do you allow your vpn clients to do split tunneling? Julian Y. Koh (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Miller,James R (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Greg Washburn (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Timothy Fairlie (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Fletcher, Robert (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Jeff Kell (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Reynolds, Walter (May 11)
- Re: Do you allow your vpn clients to do split tunneling? James R. Pardonek (May 11)