Educause Security Discussion mailing list archives
Re: vpn split tunnel or no split tunnel
From: "Avdagic, Indir" <indir_avdagic () WSU EDU>
Date: Mon, 7 Feb 2011 14:46:37 -0800
We have implemented split tunneling for our SSL VPN and IPSec Remote access VPNs to make sure that all our users' connection (when they are outside of our campus) to the internal resources are encrypted. During the VPN sessions all their other network traffic (like web browsing) goes through their the local ISP connection. By enabling our users to get access to our internal networks through the secure connection from any outside location we have accomplishing the main purpose of the VPN services. To solve access problems for off campus library resources through the VPN connection we added at the VPN gateway all outside library resources' IP addresses to the list of the destination internal IPs that can be accessed through the split tunneled encrypted connection. I hope this helps. Best Regards, Indir _______________________________ Indir Avdagic, MSEM, CISSP, ACSA, TICSA Information Systems Security Manager Washington State University indir_avdagic () wsu edu Phone: (509) 335-3279 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allan Williams Sent: Monday, February 07, 2011 12:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] vpn split tunnel or no split tunnel G'day, We implemented split tunnelling since the purpose of the VPN was to secure communications back to the University and we didn't want to pay or log home user downloads. Of course none of our users do BUT hypothetically, if a user on their home machine surfs for porn, runs a bit torrent etc we didn't see the need to have knowledge of this or for this traffic to transit our network. Drawback of split tunnelling for us has been access to off campus library resources that use an IP based access control. With a split tunnel, the user's web browser will attempt to make a connection directly not via an approved/allowed university IP address. To overcome this we had to implement a reverse proxy which allowed vpn and non-vpn users access to external resources. In general we have promoted the reverse proxy and the primary access to some on and off campus web resources and reserved vpn access to those that require secure access to university enterprise systems (finance, hr, student etc) Regards, Allan On 08/02/2011, at 6:58 AM, Mark Monroe wrote:
We are architecting a new vpn service on campus and some people want split tunneling and some do not. I am not 100% sure either way. Anyone have any examples or data that might push me either way? Mark Monroe Information Security Officer University of Missouri - St. Louis
================================== Allan Williams Director IT Infrastructure Division of Information South Oval Building #88T The Australian National University Canberra ACT 0200 T: +61 2 6125 8404 F: +61 2 6125 7699 www.anu.edu.au CRICOS Provider #00120C ==================================
Current thread:
- Re: vpn split tunnel or no split tunnel, (continued)
- Re: vpn split tunnel or no split tunnel Julian Y. Koh (Feb 07)
- Re: vpn split tunnel or no split tunnel James R. Pardonek (Feb 07)
- Re: vpn split tunnel or no split tunnel Valdis Kletnieks (Feb 07)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 07)
- Re: vpn split tunnel or no split tunnel Chris Green (Feb 07)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 08)
- Re: vpn split tunnel or no split tunnel Dexter Caldwell (Feb 09)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 08)
- Re: vpn split tunnel or no split tunnel Greene, Chip (Feb 07)
- Re: vpn split tunnel or no split tunnel Allan Williams (Feb 07)
- Re: vpn split tunnel or no split tunnel Mark Monroe (Feb 07)
- Re: vpn split tunnel or no split tunnel Avdagic, Indir (Feb 07)
- Re: vpn split tunnel or no split tunnel Jesse Thompson (Feb 08)
- Re: vpn split tunnel or no split tunnel Jeff Kell (Feb 08)