Educause Security Discussion mailing list archives
Re: Do you allow your vpn clients to do split tunneling?
From: Greg Washburn <gwashburn () MBC EDU>
Date: Mon, 10 May 2010 14:37:19 -0400
We do not allow true split tunneling but we have started allowing local lan splitting. This enables the user to continue to print to ip printers and connect to ip storage devices located on their local lan while still sending a majority of their traffic across the VPN. I will say however, I'm sincerely considering a full split tunnel solution. Of course, the requirements for personal firewall, proper OS and software patching, and malware defense needs to be implemented first and foremost to minimize the security concerns of an outside intruder using the vpn client machine as a hop into our internal network. I however, feel like the requirement for those security posture improvements need to be there anyway to avoid attacks from the client itself and not just an intruder from another network. The benefits of split tunneling are nothing to shun for sure. Reduced load on the VPN server, a reduction in Internet bandwidth at the VPN server site, and a likely much faster web experience for the end user comes to mind. As to the security concerns, I will not say they shouldn't be considered but even without split tunneling those concerns need to be addressed. The same method an intruder would use in a split tunnel situation can be used when the client is not connected to the VPN and can que up some serious maliciousness. Greg Washburn CISSP, CCNA, MCSE Sr. Network/System Admin 540.887.7352 540.280.6087 Mary Baldwin College www.mbc.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Miller,James R Sent: Monday, May 10, 2010 1:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Do you allow your vpn clients to do split tunneling? John, For security reasons, particularly allowing someone to access two different networks simultaneously, we prohibit split tunneling. Split tunneling would allow a client to directly connect our inside network to the internet or another network, bypassing quite a bit of our security. Jim Miller CISSP,CCSP Lead Network Engineer The University of Akron (330) 972-7958 millerj () uakron edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John L. Isenhour Sent: Monday, May 10, 2010 9:22 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Do you allow your vpn clients to do split tunneling? Hi All, We set up a citrix vpn service and I became aware that we're allowing split tunneling. This is verboten most places I've been, but some of the network staff have voiced that it might be a preferred way to go. We don't do traffic surveillance (aside from blocking p2p and external scans) so I would like to gain an understanding of whats the worst case, both allowing split tunneling and not. Seems to me we're safer as an institution with it off. VPN is for faculty and staff, btw. tnx, -john -- John Isenhour, Ph.D. Chief Technology Officer Information Systems Architect Kennesaw State University Kennesaw GA 30144 770-423-6620
Current thread:
- Do you allow your vpn clients to do split tunneling? John L. Isenhour (May 10)
- <Possible follow-ups>
- Re: Do you allow your vpn clients to do split tunneling? Julian Y. Koh (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Miller,James R (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Greg Washburn (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Timothy Fairlie (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Fletcher, Robert (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Jeff Kell (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Reynolds, Walter (May 11)
- Re: Do you allow your vpn clients to do split tunneling? James R. Pardonek (May 11)