Educause Security Discussion mailing list archives
Re: vpn split tunnel or no split tunnel
From: Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>
Date: Wed, 9 Feb 2011 12:49:49 -0500
I agree it's a mixed bag. Can't say which I think is better in theory, but I can tell you what we have chosen to do and why. (Keep in mind, that I agree there are probably have as many reasons against this...Nevertheless... We opt for split tunneling for the following reasons: 1) We don't need Netflix cable modem streams and the like hitting our bandwidth that historically has been a precious resource for us. If you have many users who work long sessions and keep them connected, they could have an impact of significance. 2) If we are concerned about risks of not-split tunneling, we can simply overlay IPS and/or NAC requirements for security on the entrypoints or gouprs we prefer. Keep in mind that even if you tunnel all of their traffic when they are connected to your vpn, you don't tunnel their traffic when they're not- which is most of the time- which means that they are probably able to pick up something on their less secure network and in theory be forced to send the baddies through your network, just so that you have the option of trying to catch it. We leave the stuff that's not for us to their ISP's to worry about. 3) Home pc's are generally more risky, imho, so the less traffic they direct our way, the better off I hope to be. Consider the risk that clients in the same vpn subnet can pose to each other, knowing that not everything will be caught by security systems. Same can be said for clients on the internal network that are exposed to communication streams for the remote hosts. Much of it depends on network and architecture I agree. 4) I hope it's harder and less common for a MITM attack needed with a split tunnel than a simple subnet broadcast or network scan that's simpler with no split. (Agree library database systems require proxying) D/C educause-lists () nathanielhall com writes:
When we configured our VPN system we were using Cisco ASA VPN endpoints where we could use port security or 802.1x authentication. While not perfect, it did prevent users from connecting their own network printer, gaming consoles, computers, etc. and essentially allowed a manual split tunnel. Devices plugged into the ASA traversed the VPN for traffic and devices not plugged into the ASA went straight to the Internetz. -- Nathaniel Hall On 2/7/2011 2:24 PM, Chris Green wrote: I’m against it in most scenarios. I think it just causes pain and makes people want to work off-campus less. A better write up than I could do: [ http://blogs.technet.com/b/tomshinder/archive/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling.aspx ]http://blogs.technet.com/b/tomshinder/archive/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling.aspx 1) Are you going to be significantly better at detecting malware if the client is routing through you? 2) Is this same user going to have your data if they don’t use the VPN? The more complicated the home network environment, the more likely killing split tunneling will just annoy your users. � USB printer == no problem; Network printer == whoa buddy! You are violating security policy! Save to your hd (not a file share!), disconnect, and then print! I thought about split tunneling the other night in a separate scenario. Equipment Involved: Windows 7 Ultimate Edition, Lockdown Browser, and an Xbox 360. Xbox 360 in Media Center mode streaming content. Dad and kids upstairs, Mom downstairs taking test. Lockdown browser complained about there being an active terminal services session. Turns out, media center extender leverages RDP for a portion of communication and was enough to display Lockdown Browser error message to user when there is an active session streaming content. Mom (Student) wasn’t happy (Couldn’t do test); Dad (me) wasn’t happy (Trying to fix Mom’s problem), Kids (3 & 4) weren’t happy. Assuming this self-regulated remote access is an acceptable risk, don’t contribute to screwing up people’s home network. I do have a network were we pushed a “disable split tunnel” network just so we could apply the same strict rules on campus versus off for a particular device category that mimics the split tunneling blog post from above. From: The EDUCAUSE Security Constituent Group Listserv [[ mailto:SECURITY () LISTSERV EDUCAUSE EDU ]mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Monroe Sent: Monday, February 07, 2011 1:58 PM To: [ mailto:SECURITY () LISTSERV EDUCAUSE EDU ]SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] vpn split tunnel or no split tunnel We are architecting a new vpn service on campus and some people want split tunneling and some do not. I am not 100% sure either way. Anyone have any examples or data that might push me either way? Mark Monroe Information Security Officer University of Missouri - St. Louis
Current thread:
- vpn split tunnel or no split tunnel Mark Monroe (Feb 07)
- Re: vpn split tunnel or no split tunnel Nick Kartsioukas (Feb 07)
- Re: vpn split tunnel or no split tunnel Julian Y. Koh (Feb 07)
- Re: vpn split tunnel or no split tunnel James R. Pardonek (Feb 07)
- Re: vpn split tunnel or no split tunnel Valdis Kletnieks (Feb 07)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 07)
- Re: vpn split tunnel or no split tunnel Chris Green (Feb 07)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 08)
- Re: vpn split tunnel or no split tunnel Dexter Caldwell (Feb 09)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 08)
- Re: vpn split tunnel or no split tunnel Greene, Chip (Feb 07)
- Re: vpn split tunnel or no split tunnel Allan Williams (Feb 07)
- Re: vpn split tunnel or no split tunnel Mark Monroe (Feb 07)
- Re: vpn split tunnel or no split tunnel Avdagic, Indir (Feb 07)
- Re: vpn split tunnel or no split tunnel Jesse Thompson (Feb 08)
- Re: vpn split tunnel or no split tunnel Jeff Kell (Feb 08)