nanog mailing list archives
Re: Juniper MAG/SA question - re: split tunneling policy and use of JSAM/WSAM
From: Eugeniu Patrascu <eugen () imacandi net>
Date: Thu, 26 Dec 2013 21:58:03 +0200
On Tue, Dec 24, 2013 at 7:50 PM, Herro91 <herro91 () gmail com> wrote:
Hello J-NSP and Nanog members Hopefully this is the right forum for this discussion - if not my apologies for further clogging your inbox. Here it goes: Would you consider use of JSAM/WSAM to selectively proxy and tunnel certain applications a form of split tunneling? The traditional concept of split tunnels looks at all traffic Layer 3 and above, versus JSAM/WSAM which looks at application traffic at Layer 7.
It's still Layer3, but it looks at the application name which sends the traffic in order to selectively tunnel specific destination networks and ports. I wouldn't call it split tunneling, but it depends on how your security policy classifies this kind of traffic. It's also worth looking at what risks this may bring to your exposed services as it check for process name, not necessarily for it to be valid (you can always create an outlook.exe app that tries to crash the Exchange CAS or something similar).
The context for all of this is from a previous question I put out regarding split tunneling policy on government networks.
Current thread:
- Juniper MAG/SA question - re: split tunneling policy and use of JSAM/WSAM Herro91 (Dec 24)
- Re: Juniper MAG/SA question - re: split tunneling policy and use of JSAM/WSAM Eugeniu Patrascu (Dec 26)