Educause Security Discussion mailing list archives
Re: VPN service -- Quick Poll (split tunneling?)
From: Dave Koontz <dkoontz () MBC EDU>
Date: Fri, 9 Mar 2012 19:56:02 -0500
This topic is always a lively discussion! ;-) But I believe the conversations of old may need to be re-examined with today's technology options in mind. First disclosure, we only allow supervisor approved access to our VPN for our users, and only on institutionally owned machines. A fall back for a pandemic or other emergency is in place where those rules change. Like many of you, we ran Cisco VPN concentrators for years and forced our remote users through our limited bandwidth pipe whenever they needed a campus resource, and ALL traffic came through our pipe for security reasons. Since we did not allow split tunneling, our remote office users could not even do simple things print to their local printers from our ERP system. We have recently upgraded our systems to use the Palo Alto SSLVPN / Global Protect Client. This is generally setup as a purely SSL VPN, but can also act as a Cisco Style IPSec VPN for site to site VPN Tunnels, or setups on iPads and the like. So, we have moved away from not allowing split tunneling to embracing it - with proper control and network access limitations. With Palo Alto we can determine which traffic we allow into our core, and all others are blocked. And even the traffic that comes into our core must pass the IPS rules to ensure that the safe traffic safe. It's always a delicant balance to enable users, yet protect our networks. I believe modern technology can give you that balance, if properly configured. Don't ask a 10 year old product to try to do this. On 3/9/2012 3:25 PM, Kris Monroe wrote:
For those that have answered yes, would you mind outlining whether you allow split tunneling or not? I would also appreciate your rationale one way or the other. I've always been taught that split tunneling is a really bad idea, but this topic has recently come up in our remote access project. -- Kris Monroe, CISSP, CISA, CISM Information Security Officer Office of Information Technology Services Job Hall Ithaca College 953 Danby Rd. | Ithaca, NY 14850 607.274.1997 | 607.274.1484 fax kmonroe () ithaca edu | ithaca.edu Follow us: facebook.com/ICInfosec | twitter.com/IC_infosec On 3/9/2012 9:18 AM, Zahid Mehmood wrote:Hi All, Quick Poll Please: 1. Is your campus using, or does it plan to use, VPN access for remote users? 2 . What vendor(s) and protocols (SSL, IPSec, other) are you using? 3. How many concurrent remote users can your system support? 4. Do you offer any specialized/custom VPN services for departments, researchers, etc.? 5. Is your VPN offering part of your DR plan/requirement? Thanks! Zahid Mehmood Network Software and IT Enablement Systems Columbia University Information Technology
Current thread:
- Re: VPN service -- Quick Poll, (continued)
- Re: VPN service -- Quick Poll Entwistle, Bruce (Mar 09)
- Re: VPN service -- Quick Poll Julian Y Koh (Mar 09)
- Re: VPN service -- Quick Poll Morrow Long (Mar 09)
- Re: VPN service -- Quick Poll Patrick Ouellette (Mar 09)
- Re: VPN service -- Quick Poll Miller,James R (Mar 09)
- Re: VPN service -- Quick Poll (split tunneling?) Kris Monroe (Mar 09)
- Re: VPN service -- Quick Poll (split tunneling?) Miller,James R (Mar 09)
- Re: VPN service -- Quick Poll (split tunneling?) Julian Y Koh (Mar 09)
- Re: VPN service -- Quick Poll (split tunneling?) Jeff Kell (Mar 09)
- Re: VPN service -- Quick Poll (split tunneling?) Schumacher, Adam J. (Mar 09)
- Re: VPN service -- Quick Poll (split tunneling?) Dave Koontz (Mar 09)
- Re: VPN service -- Quick Poll (split tunneling?) Valdis Kletnieks (Mar 11)
- Re: VPN service -- Quick Poll (split tunneling?) Dave Koontz (Mar 13)
- Re: VPN service -- Quick Poll Entwistle, Bruce (Mar 09)
- Re: VPN service -- Quick Poll Hugh Burley (Mar 09)