Re: VPN Split DNS

[Matthew Perry <mlperry () gmail com>]

Thanks for all of the responses so far.  I did mean split tunneling and not
split DNS, so I will look into some of the suggestions.

Colin - I agree with you that if we are worried about the network security
of the branch office that we should implement some security around that
office to make it trusted.


On Tue, Mar 5, 2013 at 8:31 AM, Colin Edwards <colin.p.edwards () gmail com>wrote:

> "Simple question: does the "datacenter" network want to trust the entire
> remote network?  If so, go for split tunneling.  If there is anything on
> the remote network that you dont want to trust, disallow split tunneling."
> ****
>
> ** **
>
> And to add to that, if your branch office's network can't be trusted, then
> it's probably time to address the security of that network.  I expect
> admins to disable split tunneling when host are connecting from potentially
> hostile networks (i.e. an employee's home network where there is no
> knowledge or control over the security of the other hosts or firewall on
> that network).  But if there are concerns about your branch office's
> network being hostile, then the first step should be implementing some
> baseline security requirements so all of your networks can be considered
> trusted.****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> *From:* pauldotcom-bounces () mail pauldotcom com [mailto:
> pauldotcom-bounces () mail pauldotcom com] *On Behalf Of *Herndon Elliott
> *Sent:* Tuesday, March 05, 2013 7:53 AM
> *To:* pauldotcom () mail pauldotcom com
> *Subject:* Re: [Pauldotcom] VPN Split DNS****
>
> ** **
>
> > Subject: [Pauldotcom] VPN Split DNS
> > Message-ID: CANMo1R4=<CANMo1R4=P-sB22d71opr4uZ4CZT5pKi3EBpzJduK8RvZ2-UmCQ () mail gmail com>
> P-sB22d71opr4uZ4CZT5pKi3EBpzJduK8RvZ2-UmCQ () mail gmail com
> > We have some branch offices that connect to a client VPN in our
> datacenter
> > to access certain resources. Currently we are sending all traffic through
> > the VPN when they connect, but this keeps them from being able to access
> > resources on their network.
> > ****
>
> > What are the security concerns of using split DNS to allow them to access
> ****
>
> Split DNS = split tunneling, I think you mean.****
>
>  ****
>
> Simple question: does the "datacenter" network want to trust the entire
> remote network?  If so, go for split tunneling.  If there is anything on
> the remote network that you dont want to trust, disallow split tunneling.*
> ***
>
>  ****
>
> My experience is split tunneling is very, very high-risk for the target of
> the VPN.
> ****
>
>
> Herndon Elliott
> Madison, Al
> https://keyserver.pgp.com key ID: 24B60B6150130832
> ΜΟΛΩΝ ΛΑΒΕ  "molon labe"****
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
Matthew Perry

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com