Skip to main content

Pix and split tunnel

More
18 years 11 months ago #12062 by susetechie
Hi All,

The higher ups want to be able to access the internet while on vpn. i have warned of the security risks and such, but we all know how politics go! I am pretty sure my only option is split tunnel. I have a question on the syntax. This is how I assume it needs to entered:

access-list split_tunnel permit ip protected_network protected_subnet vpnclient_network vpnclient_subnet

My inside interface for the pix is on the 192.168.xx.0 network. My vpn address pool is also on this network, assuming this would the following be correct?

access-list split_tunnel permit ip 192.168.xx.0 255.255.255.0
192.168.xx.0 255.255.255.0

Thanks

"Go away or I will replace you with a very small shell script"
More
18 years 11 months ago #12071 by Chris
Replied by Chris on topic Re: Pix and split tunnel
susetechie,

One thing which is not clear to me: Do your clients connect to your Pix (terminate their VPN on it) from the Internet, or are they on the local LAN and simply want to access the Internet from there?

e.g

LAN
PIX===Internet=====VPN CLient

or

LAN/VPN Clients
PIX====Internet====PIX

Cheers,

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
18 years 11 months ago #12072 by susetechie
Replied by susetechie on topic Re: Pix and split tunnel
Chris,

Thanks for replying. These are vpn users from home. so they are at home with cable modems/dsl modems and such. they are not on the local lan.

Thanks

"Go away or I will replace you with a very small shell script"
More
18 years 10 months ago #12194 by anti-hack
Replied by anti-hack on topic Split Tunneling
In my humble opinion the following configuration should be made on the VPN server,


access-list VPNgroupname_splitTunnelAcl permit ip 192.168.0.0 255.255.0.0 any
vpngroup VPNgroupname split-tunnel VPNgroupname_splitTunnelAcl

Also the VPN client has to be configured to allow local LAN access.

This should help them connect to the internet.

Thanx.
More
18 years 10 months ago #12249 by TheeGreatCornholio
Hello All...

I've got to throw my two cents in on this one...

I've never been a fan of split tunneling - especially when it comes to higher ups. About 99.99997% (look - something that actually qualifies as Six Sigma!) of 'higher-ups' are clueless when it comes to security of their laptops, files, home networks, etc. Many of them have kids who are at a minimum cocky script-kiddies... so they are constantly playing around in things they have no clue about (viruses, etc.), essentially raising the risk to the corporate asset.

When split tunneling is permitted, the asset is at risk from the local network/internet connection. With split tunnel disabled, while the asset is VPN'ed into corporate, the asset is not accessible from the local network it is on.

Real attackers (as opposed to the higher-up's kids), know that split tunneling is still being used by companies, and will attempt to penetrate the wireless network of said higher-up and compromise the corporate asset and get to documents stored locally on that asset (since we know higher-ups have no clue about server storage and shared drives).

While it is true that the higher-up will not be using his/her local internet connection directly for browsing non-corporate sites with split tunneling disabled, it is possible (and becoming very common) for companies to let their VPN users browse the web via the VPN tunnel (something I have been doing for a very long time now).

When split tunneling is off, all traffic to and from the vpn device must go through the tunnel - no matter what destination IP address. At the VPN head-end, whether it be a PIX, or a dedicated VPN concentrator like the Cisco VPN 3000 series, you route the internet based traffic out of the corporate internet connection, just like any other internally connected user. Advantage: You can now enforce your corporate browsing polcies/logging/filtering against VPN'ed users too!

What stinks for the vpn'ed users (and the complaint I hear the most) is that they can't print to their local network printer. My response? Boo-hoo! Thank God for USB! :)

Of course, if the user is not VPN'ed in, but they leave their PC turned on, it is obviously attackable - that's when personal firewalls and the like are useful.

Anyway - my 2 cents... ;)

tGc
More
18 years 10 months ago #12274 by susetechie
Replied by susetechie on topic Re: Pix and split tunnel
I would totally agree with you TGC. This is my deal though. The interface that accepts the vpn connection is also the interface that leads to the internet router. Pix will not allow something to come in one interface and back out the same way correct? or am i totally off base with this.

"Go away or I will replace you with a very small shell script"
Time to create page: 0.162 seconds