Educause Security Discussion mailing list archives

Re: Do you allow your vpn clients to do split tunneling?

From: "Fletcher, Robert" <Robert_Fletcher () BROWN EDU>
Date: Mon, 10 May 2010 15:48:27 -0400


We do not allow split tunneling. I was not party to the original discussion
in setting up our current VPN; however, my understanding is that we didn't
want to give a client system the opportunity to act as a bridge between two
or more networks. Essentially the client could offer up a backdoor into
secure areas of our infrastructure.

Bob Fletcher
IT Security Engineer
CIS Information Security Group
Brown University
(401) 863-7290

"What gets us into trouble is not what we don't know, it's what we know for
sure that just ain't so"
- Mark Twain
-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Timothy Fairlie
Sent: Monday, May 10, 2010 3:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Do you allow your vpn clients to do split tunneling?

Like Julian, we don't allow split-tunneling, except for a few
system/network admin folks

On 5/10/2010 9:49 AM, Julian Y. Koh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 9:22 AM -0400 5/10/10, John L. Isenhour wrote:

We set up a citrix vpn service and I became aware that we're allowing
split tunneling.  This is verboten most places I've been, but some of the
network staff have voiced that it might be a preferred way to go.

Our traditional VPN service (PPTP, L2TP/IPSec, and Cisco IPSec VPN Client)
does not use split tunneling.  When we originally rolled out the service,
we tried to use split tunneling, but since it was desired that the VPN be
used to access things like library licensed materials that were IP
restricted, the split tunnel list quickly became unmanageable, so we

turned

off split tunneling and tunneled all traffic.

A few years back, we rolled out SSL VPN services with a layer 3 tunneling
client available.  That service is targeted at sysadmins,
vendors/consultants, and users of sensitive systems, so we are usuing

split

tunneling there.


-----BEGIN PGP SIGNATURE-----
Version: 9.9.1.287

wj8DBQFL6A7LDlQHnMkeAWMRArwMAJ0dz3eG6u72MvlgDJRU6c8kks3rTQCghJmZ
fo3+SZ6HBIgkcHrhN2ydFh4=
=/McV
-----END PGP SIGNATURE-----


--
Timothy J. Fairlie
Director, Network and Communication Services
Rider University      Fairlie () rider edu

Attachment: smime.p7s
Description:

Current thread:

Do you allow your vpn clients to do split tunneling? John L. Isenhour (May 10)
- <Possible follow-ups>
- Re: Do you allow your vpn clients to do split tunneling? Julian Y. Koh (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Miller,James R (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Greg Washburn (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Timothy Fairlie (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Fletcher, Robert (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Jeff Kell (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Reynolds, Walter (May 11)
- Re: Do you allow your vpn clients to do split tunneling? James R. Pardonek (May 11)