Educause Security Discussion mailing list archives
Re: vpn split tunnel or no split tunnel
From: Nathaniel Hall <educause-lists () NATHANIELHALL COM>
Date: Tue, 8 Feb 2011 10:40:11 -0600
When we configured our VPN system we were using Cisco ASA VPN endpoints where we could use port security or 802.1x authentication. While not perfect, it did prevent users from connecting their own network printer, gaming consoles, computers, etc. and essentially allowed a manual split tunnel. Devices plugged into the ASA traversed the VPN for traffic and devices not plugged into the ASA went straight to the Internetz. -- Nathaniel Hall On 2/7/2011 2:24 PM, Chris Green wrote:
I'm against it in most scenarios. I think it just causes pain and makes people want to work off-campus less. A better write up than I could do: http://blogs.technet.com/b/tomshinder/archive/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling.aspx 1) Are you going to be significantly better at detecting malware if the client is routing through you? 2) Is this same user going to have your data if they don't use the VPN? The more complicated the home network environment, the more likely killing split tunneling will just annoy your users. USB printer == no problem; Network printer == whoa buddy! You are violating security policy! Save to your hd (not a file share!), disconnect, and then print! I thought about split tunneling the other night in a separate scenario. Equipment Involved: Windows 7 Ultimate Edition, Lockdown Browser, and an Xbox 360. Xbox 360 in Media Center mode streaming content. Dad and kids upstairs, Mom downstairs taking test. Lockdown browser complained about there being an active terminal services session. Turns out, media center extender leverages RDP for a portion of communication and was enough to display Lockdown Browser error message to user when there is an active session streaming content. Mom (Student) wasn't happy (Couldn't do test); Dad (me) wasn't happy (Trying to fix Mom's problem), Kids (3 & 4) weren't happy. Assuming this self-regulated remote access is an acceptable risk, don't contribute to screwing up people's home network. I do have a network were we pushed a "disable split tunnel" network just so we could apply the same strict rules on campus versus off for a particular device category that mimics the split tunneling blog post from above. *From:*The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Mark Monroe *Sent:* Monday, February 07, 2011 1:58 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] vpn split tunnel or no split tunnel We are architecting a new vpn service on campus and some people want split tunneling and some do not. I am not 100% sure either way. Anyone have any examples or data that might push me either way? Mark Monroe Information Security Officer University of Missouri - St. Louis
Current thread:
- vpn split tunnel or no split tunnel Mark Monroe (Feb 07)
- Re: vpn split tunnel or no split tunnel Nick Kartsioukas (Feb 07)
- Re: vpn split tunnel or no split tunnel Julian Y. Koh (Feb 07)
- Re: vpn split tunnel or no split tunnel James R. Pardonek (Feb 07)
- Re: vpn split tunnel or no split tunnel Valdis Kletnieks (Feb 07)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 07)
- Re: vpn split tunnel or no split tunnel Chris Green (Feb 07)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 08)
- Re: vpn split tunnel or no split tunnel Dexter Caldwell (Feb 09)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 08)
- Re: vpn split tunnel or no split tunnel Greene, Chip (Feb 07)
- Re: vpn split tunnel or no split tunnel Allan Williams (Feb 07)
- Re: vpn split tunnel or no split tunnel Mark Monroe (Feb 07)
- Re: vpn split tunnel or no split tunnel Avdagic, Indir (Feb 07)
- Re: vpn split tunnel or no split tunnel Jesse Thompson (Feb 08)
- Re: vpn split tunnel or no split tunnel Jeff Kell (Feb 08)