Re: vpn split tunnel or no split tunnel

[Nathaniel Hall <educause-lists () NATHANIELHALL COM>]

When we configured our VPN system we were using Cisco ASA VPN endpoints
where we could use port security or 802.1x authentication.  While not
perfect, it did prevent users from connecting their own network printer,
gaming consoles, computers, etc. and essentially allowed a manual split
tunnel.  Devices plugged into the ASA traversed the VPN for traffic and
devices not plugged into the ASA went straight to the Internetz.

--
Nathaniel Hall

On 2/7/2011 2:24 PM, Chris Green wrote:
> I'm against it in most scenarios.  I think it just causes pain and
> makes people want to work off-campus less.
>
>  
>
> A better write up than I could do:
>
>  
>
> http://blogs.technet.com/b/tomshinder/archive/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling.aspx
>
>  
>
> 1)      Are you going to be significantly better at detecting malware
> if the client is routing through you?
>
> 2)      Is this same user going to have your data if they don't use
> the VPN?
>
>  
>
> The more complicated the home network environment, the more likely
> killing split tunneling will just annoy your users. 
>
>  
>
> USB printer == no problem;
>
> Network printer == whoa buddy! You are violating security policy! 
> Save to your hd (not a file share!), disconnect, and then print!
>
>  
>
> I thought about split tunneling the other night in a separate
> scenario.  Equipment Involved: Windows 7 Ultimate Edition, Lockdown
> Browser, and an Xbox 360.  Xbox 360 in Media Center mode streaming
> content.   Dad and kids upstairs, Mom downstairs taking test. 
> Lockdown browser complained about there being an active terminal
> services session.  Turns out, media center extender leverages RDP for
> a portion of communication and was enough to display Lockdown Browser
> error message to user when there is an active session streaming
> content.   Mom (Student) wasn't happy (Couldn't do test);   Dad (me)
> wasn't happy (Trying to fix Mom's problem), Kids (3 & 4) weren't happy.
>
>  
>
> Assuming this self-regulated remote access is an acceptable risk,
> don't contribute to screwing up people's home network.
>
>  
>
> I do have a network were we pushed a "disable split tunnel" network
> just so we could apply the same strict rules on campus versus off for
> a particular device category that mimics the split tunneling blog post
> from above.
>
>  
>
> *From:*The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Mark Monroe
> *Sent:* Monday, February 07, 2011 1:58 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] vpn split tunnel or no split tunnel
>
>  
>
> We are architecting a new vpn service on campus and some people want
> split tunneling and some do not. I am not 100% sure either way. Anyone
> have any examples or data that might push me either way?
>
> Mark Monroe   
> Information Security Officer
> University of Missouri - St. Louis