Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VPN Split-tunneling: Your opinion?

From: "Behm, Jeff" <jbehm () burnsmcd com>
Date: Fri, 19 Jun 2009 09:14:05 -0500
From a web filtering/outbound access through a proxy/firewall point of

view, with split tunneling, I see clients going out to the Internet
(HTTP/HTTPS, at least) completely unfiltered.

With full tunneling, I see clients connecting back to "corporate" and
going out through the firewall/proxy/web filter, which provides some
sane level of filtering.


From that standpoint, the feeling is that there is some level of

security gained by pushing the traffic through the firewall/proxy/web
filter that is not had by allowing split tunneling.



From the "My client is compromised/misconfigured and now is allowing

routing into the trusted network" standpoint, I don't think that attack
vector is necessarily all that prevalent. It doesn't need to be from an
intruder's view. It seems to be much easier to get people to click on
this link, or open that attachment, or give out a password in exchange
for a candy bar in order to perform an attack.

While I personally am not a fan of split tunneling from a security point
of view, even if the client is misconfigured and allows routing in, that
in itself isn't necessarily *bad.*   It depends on why the client is
misconfigured (i.e. was it a dumb user, or malicious bad guy), who is on
the other end of that route, what their intentions are(perhaps no
intentions at all), and whether or not they are smart enough to exploit
a misconfigured PC (i.e. route) to get into your network.

Jeff

On Friday, June 19, 2009 1:05 AM, Amuse said:


I was wondering what each of your opinions are RE: VPN

Split-tunneling.  

Do you consider a split-tunnel setup to be particularly risky to allow

from

a security point of view?  Compared to typical (modern) exploits such

as

trojans via email, XSS, web based attacks, etc - do you think that the

risk

of a client becoming misconfigured and allowing routing into the

private

network via a split tunnel is particularly prevalent?

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: