Educause Security Discussion mailing list archives
Re: Do you allow your vpn clients to do split tunneling?
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Mon, 10 May 2010 17:35:36 -0400
The "textbook" explanation of split-tunnel says it should be avoided because of the possibility of bridging/routing external traffic through the tunnel. However, if the end-user is smart enough to do that wholesale (other than the XSS possibilties) they're probably smart enough to bypass your captive tunnel (depending on the client). Split-tunnel advantages: * you can advertise only a portion of your internal network via the tunnel, * any "other traffic" is untouched (if you have a multi-tasking user that needs the regular network), * if you're NATed inside, you can test inside and outside connectivity (by using inside/outside IPs) Captive tunnel advantages: * all traffic gets encrypted (very useful for WiFi or other open wireless), * better control over what enters the tunnel (depending on the client) We allow split-tunnel, but our current VPN is primarily ITD personnel. I might be more biased toward captive if serving a broader audience. Jeff
Current thread:
- Do you allow your vpn clients to do split tunneling? John L. Isenhour (May 10)
- <Possible follow-ups>
- Re: Do you allow your vpn clients to do split tunneling? Julian Y. Koh (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Miller,James R (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Greg Washburn (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Timothy Fairlie (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Fletcher, Robert (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Jeff Kell (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Reynolds, Walter (May 11)
- Re: Do you allow your vpn clients to do split tunneling? James R. Pardonek (May 11)