Educause Security Discussion mailing list archives
Re: Do you allow your vpn clients to do split tunneling?
From: "Reynolds, Walter" <waltr () UMICH EDU>
Date: Tue, 11 May 2010 08:45:02 -0400
We allow it but actually have two profiles centrally with a split tunnel and a full tunnel option. We however do not have a lot of the same filters in place around the network. That being said I feel that if you allow machines on other networks and then allow them to connect through the VPN without a NAC solution you are still compromising the security of your internal network. --- Walter Reynolds Principal Systems Security Development Engineer ITS Communications Systems and Data Centers University of Michigan (734) 615-9438
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Fletcher, Robert Sent: Monday, May 10, 2010 3:48 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Do you allow your vpn clients to do split tunneling? We do not allow split tunneling. I was not party to the original discussion in setting up our current VPN; however, my understanding is that we didn't want to give a client system the opportunity to act as a bridge between two or more networks. Essentially the client could offer up a backdoor into secure areas of our infrastructure. Bob Fletcher IT Security Engineer CIS Information Security Group Brown University (401) 863-7290 "What gets us into trouble is not what we don't know, it's what we know for sure that just ain't so" - Mark Twain -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Timothy Fairlie Sent: Monday, May 10, 2010 3:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Do you allow your vpn clients to do split tunneling? Like Julian, we don't allow split-tunneling, except for a few system/network admin folks On 5/10/2010 9:49 AM, Julian Y. Koh wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 9:22 AM -0400 5/10/10, John L. Isenhour wrote:We set up a citrix vpn service and I became aware that we're allowing split tunneling. This is verboten most places I've been, but some of the network staff have voiced that it might be a preferred way to go.Our traditional VPN service (PPTP, L2TP/IPSec, and Cisco IPSec VPN Client) does not use split tunneling. When we originally rolled out the service, we tried to use split tunneling, but since it was desired that the VPN be used to access things like library licensed materials that were IP restricted, the split tunnel list quickly became unmanageable, so weturnedoff split tunneling and tunneled all traffic. A few years back, we rolled out SSL VPN services with a layer 3 tunneling client available. That service is targeted at sysadmins, vendors/consultants, and users of sensitive systems, so we are usuingsplittunneling there. -----BEGIN PGP SIGNATURE----- Version: 9.9.1.287wj8DBQFL6A7LDlQHnMkeAWMRArwMAJ0dz3eG6u72MvlgDJRU6c8kks3rTQCg hJmZfo3+SZ6HBIgkcHrhN2ydFh4= =/McV -----END PGP SIGNATURE------- Timothy J. Fairlie Director, Network and Communication Services Rider University Fairlie () rider edu
Current thread:
- Do you allow your vpn clients to do split tunneling? John L. Isenhour (May 10)
- <Possible follow-ups>
- Re: Do you allow your vpn clients to do split tunneling? Julian Y. Koh (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Miller,James R (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Greg Washburn (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Timothy Fairlie (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Fletcher, Robert (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Jeff Kell (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Reynolds, Walter (May 11)
- Re: Do you allow your vpn clients to do split tunneling? James R. Pardonek (May 11)