Firewall Wizards mailing list archives
Re: VPN Split-tunneling: Your opinion?
From: "Behm, Jeff" <jbehm () burnsmcd com>
Date: Fri, 19 Jun 2009 09:14:05 -0500
From a web filtering/outbound access through a proxy/firewall point of
view, with split tunneling, I see clients going out to the Internet (HTTP/HTTPS, at least) completely unfiltered. With full tunneling, I see clients connecting back to "corporate" and going out through the firewall/proxy/web filter, which provides some sane level of filtering.
From that standpoint, the feeling is that there is some level of
security gained by pushing the traffic through the firewall/proxy/web filter that is not had by allowing split tunneling.
From the "My client is compromised/misconfigured and now is allowing
routing into the trusted network" standpoint, I don't think that attack vector is necessarily all that prevalent. It doesn't need to be from an intruder's view. It seems to be much easier to get people to click on this link, or open that attachment, or give out a password in exchange for a candy bar in order to perform an attack. While I personally am not a fan of split tunneling from a security point of view, even if the client is misconfigured and allows routing in, that in itself isn't necessarily *bad.* It depends on why the client is misconfigured (i.e. was it a dumb user, or malicious bad guy), who is on the other end of that route, what their intentions are(perhaps no intentions at all), and whether or not they are smart enough to exploit a misconfigured PC (i.e. route) to get into your network. Jeff On Friday, June 19, 2009 1:05 AM, Amuse said:
I was wondering what each of your opinions are RE: VPN
Split-tunneling.
Do you consider a split-tunnel setup to be particularly risky to allow
from
a security point of view? Compared to typical (modern) exploits such
as
trojans via email, XSS, web based attacks, etc - do you think that the
risk
of a client becoming misconfigured and allowing routing into the
private
network via a split tunnel is particularly prevalent?
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN Split-tunneling: Your opinion? AMuse (Jun 19)
- Re: VPN Split-tunneling: Your opinion? Paul Melson (Jun 19)
- Re: VPN Split-tunneling: Your opinion? Behm, Jeff (Jun 19)
- <Possible follow-ups>
- Re: VPN Split-tunneling: Your opinion? Aniket S. Amdekar (Jun 19)