PaulDotCom mailing list archives

Re: VPN Split DNS

From: "Colin Edwards" <colin.p.edwards () gmail com>
Date: Tue, 5 Mar 2013 09:31:25 -0500

"Simple question: does the "datacenter" network want to trust the entire
remote network?  If so, go for split tunneling.  If there is anything on the
remote network that you dont want to trust, disallow split tunneling."

 

And to add to that, if your branch office's network can't be trusted, then
it's probably time to address the security of that network.  I expect admins
to disable split tunneling when host are connecting from potentially hostile
networks (i.e. an employee's home network where there is no knowledge or
control over the security of the other hosts or firewall on that network).
But if there are concerns about your branch office's network being hostile,
then the first step should be implementing some baseline security
requirements so all of your networks can be considered trusted.

 

 

 

 

From: pauldotcom-bounces () mail pauldotcom com
[mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Herndon Elliott
Sent: Tuesday, March 05, 2013 7:53 AM
To: pauldotcom () mail pauldotcom com
Subject: Re: [Pauldotcom] VPN Split DNS

Subject: [Pauldotcom] VPN Split DNS
Message-ID: CANMo1R4=

<mailto:CANMo1R4=P-sB22d71opr4uZ4CZT5pKi3EBpzJduK8RvZ2-UmCQ () mail gmail com>
P-sB22d71opr4uZ4CZT5pKi3EBpzJduK8RvZ2-UmCQ () mail gmail com


We have some branch offices that connect to a client VPN in our datacenter
to access certain resources. Currently we are sending all traffic through
the VPN when they connect, but this keeps them from being able to access
resources on their network.

What are the security concerns of using split DNS to allow them to access


Split DNS = split tunneling, I think you mean.

 

Simple question: does the "datacenter" network want to trust the entire
remote network?  If so, go for split tunneling.  If there is anything on the
remote network that you dont want to trust, disallow split tunneling.

 

My experience is split tunneling is very, very high-risk for the target of
the VPN.


 
Herndon Elliott
Madison, Al
https://keyserver.pgp.com key ID: 24B60B6150130832
ΜΟΛΩΝ ΛΑΒΕ  "molon labe"

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

VPN Split DNS Matthew Perry (Mar 04)
- Re: VPN Split DNS Andrew Johnson (Mar 04)
  - Re: VPN Split DNS Chris Campbell (Mar 05)
- Re: VPN Split DNS subodh pachghare (Mar 04)
- <Possible follow-ups>
- Re: VPN Split DNS Herndon Elliott (Mar 05)
  - Re: VPN Split DNS Colin Edwards (Mar 05)
    - Re: VPN Split DNS Matthew Perry (Mar 05)
    - Re: VPN Split DNS wynn (Mar 05)