Re: Juniper MAG/SA question - re: split tunneling policy and use of JSAM/WSAM

[Eugeniu Patrascu <eugen () imacandi net>]

On Tue, Dec 24, 2013 at 7:50 PM, Herro91 <herro91 () gmail com> wrote:

> Hello J-NSP and Nanog members
>
> Hopefully this is the right forum for this discussion - if not my apologies
> for further clogging your inbox.
>
> Here it goes:
>
> Would you consider use of JSAM/WSAM to selectively proxy and tunnel certain
> applications a form of split tunneling? The traditional concept of split
> tunnels looks at all traffic Layer 3 and above, versus JSAM/WSAM which
> looks at application traffic at Layer 7.
It's still Layer3, but it looks at the application name which sends the
traffic in order to selectively tunnel specific destination networks and
ports.

I wouldn't call it split tunneling, but it depends on how your security
policy classifies this kind of traffic.
It's also worth looking at what risks this may bring to your exposed
services as it check for process name, not necessarily for it to be valid
(you can always create an outlook.exe app that tries to crash the Exchange
CAS or something similar).


> The context for all of this is from a previous question I put out regarding
> split tunneling policy on government networks.