Educause Security Discussion mailing list archives
Re: vpn split tunnel or no split tunnel
From: Mark Monroe <markm196 () NETSCAPE NET>
Date: Mon, 7 Feb 2011 15:07:15 -0600
Uhg....I guess that the biggest issue that I really have is, if they use split tunneling and their system is infected with something, that data would be relayed to the bot network (or whatever) without going through campus and would not be caught by our alerts or IPS. If it does go through campus, there is a chance that my IPS is updated enough or aware of the IP or domain and can block it.. and we can help the user clean their system.
BUT.. we would be squeezing all of their internet traffic through our VPN and "wasting" resources and slowing the user experience down. I think that we can deal with the special cases that need to come from campus IPs with some tunneling rules.
Still have some things to think about. Mark On 2/7/2011 2:41 PM, Allan Williams wrote:
G'day, We implemented split tunnelling since the purpose of the VPN was to secure communications back to the University and we didn't want to pay or log home user downloads. Of course none of our users do BUT hypothetically, if a user on their home machine surfs for porn, runs a bit torrent etc we didn't see the need to have knowledge of this or for this traffic to transit our network. Drawback of split tunnelling for us has been access to off campus library resources that use an IP based access control. With a split tunnel, the user's web browser will attempt to make a connection directly not via an approved/allowed university IP address. To overcome this we had to implement a reverse proxy which allowed vpn and non-vpn users access to external resources. In general we have promoted the reverse proxy and the primary access to some on and off campus web resources and reserved vpn access to those that require secure access to university enterprise systems (finance, hr, student etc) Regards, Allan On 08/02/2011, at 6:58 AM, Mark Monroe wrote:We are architecting a new vpn service on campus and some people want split tunneling and some do not. I am not 100% sure either way. Anyone have any examples or data that might push me either way? Mark Monroe Information Security Officer University of Missouri - St. Louis================================== Allan Williams Director IT Infrastructure Division of Information South Oval Building #88T The Australian National University Canberra ACT 0200 T: +61 2 6125 8404 F: +61 2 6125 7699 www.anu.edu.au CRICOS Provider #00120C ==================================
Current thread:
- Re: vpn split tunnel or no split tunnel, (continued)
- Re: vpn split tunnel or no split tunnel Nick Kartsioukas (Feb 07)
- Re: vpn split tunnel or no split tunnel Julian Y. Koh (Feb 07)
- Re: vpn split tunnel or no split tunnel James R. Pardonek (Feb 07)
- Re: vpn split tunnel or no split tunnel Valdis Kletnieks (Feb 07)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 07)
- Re: vpn split tunnel or no split tunnel Chris Green (Feb 07)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 08)
- Re: vpn split tunnel or no split tunnel Dexter Caldwell (Feb 09)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 08)
- Re: vpn split tunnel or no split tunnel Greene, Chip (Feb 07)
- Re: vpn split tunnel or no split tunnel Allan Williams (Feb 07)
- Re: vpn split tunnel or no split tunnel Mark Monroe (Feb 07)
- Re: vpn split tunnel or no split tunnel Avdagic, Indir (Feb 07)
- Re: vpn split tunnel or no split tunnel Jesse Thompson (Feb 08)
- Re: vpn split tunnel or no split tunnel Jeff Kell (Feb 08)