Re: vpn split tunnel or no split tunnel

[Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>]

I agree it's a mixed bag.  Can't say which I think is better in theory,
but I can tell you what we have chosen to do and why.   (Keep in mind,
that I agree there are probably have as many reasons against
this...Nevertheless...  

We opt for split tunneling for the following reasons:  

1)  We don't need Netflix cable modem streams and the like hitting our
bandwidth that historically has been a precious resource for us.  If you
have many users who work long sessions and keep them connected, they could
have an impact of significance.

2)  If we are concerned about risks of not-split tunneling, we can simply
overlay IPS and/or NAC requirements for security on the entrypoints or
gouprs we prefer.  Keep in mind that even if you tunnel all of their
traffic when they are connected to your vpn, you don't tunnel their
traffic when they're not- which is most of the time- which means that they
are probably able to pick up something on their less secure network and in
theory be forced to send the baddies through your network, just so that
you have the option of trying to catch it.  We leave the stuff that's not
for us to their ISP's to worry about.

3)  Home pc's are generally more risky, imho, so the less traffic they
direct our way, the better off I hope to be.  Consider the risk that
clients in the same vpn subnet can pose to each other, knowing that not
everything will be caught by security systems.  Same can be said for
clients on the internal network that are exposed to communication streams
for the remote hosts.  Much of it depends on network and architecture I
agree.

4) I hope it's harder and less common for a MITM attack needed with a
split tunnel than a simple subnet broadcast or network scan that's simpler
with no split.

(Agree library database systems require proxying)
D/C

educause-lists () nathanielhall com writes:
>  When we configured our VPN system we were using Cisco ASA VPN endpoints
> where we could use port security or 802.1x authentication.  While not
> perfect, it did prevent users from connecting their own network printer,
> gaming consoles, computers, etc. and essentially allowed a manual split
> tunnel.  Devices plugged into the ASA traversed the VPN for traffic and
> devices not plugged into the ASA went straight to the Internetz.
>
> --
> Nathaniel Hall
>
> On 2/7/2011 2:24 PM, Chris Green wrote: 
>
>
>
>
> I’m against it in most scenarios.  I think it just causes pain and
> makes people want to work off-campus less.
>
>  
>
> A better write up than I could do:
>
>  
>
> [
> http://blogs.technet.com/b/tomshinder/archive/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling.aspx
> ]http://blogs.technet.com/b/tomshinder/archive/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling.aspx
>
>  
>
> 1)      Are you going to be significantly better at detecting
> malware if the client is routing through you?
>
> 2)      Is this same user going to have your data if they don’t
> use the VPN?
>
>  
>
> The more complicated the home network environment, the more likely
> killing split tunneling will just annoy your users.  
>
> � 
>
> USB printer == no problem; 
>
> Network printer == whoa buddy! You are violating security policy!  Save
> to your hd (not a file share!), disconnect, and then print!
>
>  
>
> I thought about split tunneling the other night in a separate scenario. 
> Equipment Involved: Windows 7 Ultimate Edition, Lockdown Browser, and an
> Xbox 360.  Xbox 360 in Media Center mode streaming content.   Dad and
> kids upstairs, Mom downstairs taking test.  Lockdown browser complained
> about there being an active terminal services session.  Turns out, media
> center extender leverages RDP for a portion of communication and was
> enough to display Lockdown Browser error message to user when there is an
> active session streaming content.   Mom (Student) wasn’t happy
> (Couldn’t do test);   Dad (me) wasn’t happy (Trying to fix Mom’s
> problem), Kids (3 & 4) weren’t happy.
>
>  
>
> Assuming this self-regulated remote access is an acceptable risk, don’t
> contribute to screwing up people’s home network.
>
>  
>
> I do have a network were we pushed a “disable split tunnel” network
> just so we could apply the same strict rules on campus versus off for a
> particular device category that mimics the split tunneling blog post from
> above.
>
>  
>
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv [[
> mailto:SECURITY () LISTSERV EDUCAUSE EDU
> ]mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Monroe
> Sent: Monday, February 07, 2011 1:58 PM
> To: [ mailto:SECURITY () LISTSERV EDUCAUSE EDU
> ]SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] vpn split tunnel or no split tunnel
>
>
>
>
>  
>
> We are architecting a new vpn service on campus and some people want
> split tunneling and some do not. I am not 100% sure either way. Anyone
> have any examples or data that might push me either way?
>
> Mark Monroe    
> Information Security Officer
> University of Missouri - St. Louis