The higher ups want to be able to access the internet while on vpn. i have warned of the security risks and such, but we all know how politics go! I am pretty sure my only option is split tunnel. I have a question on the syntax. This is how I assume it needs to entered:
access-list split_tunnel permit ip protected_network protected_subnet vpnclient_network vpnclient_subnet
My inside interface for the pix is on the 192.168.xx.0 network. My vpn address pool is also on this network, assuming this would the following be correct?
access-list split_tunnel permit ip 192.168.xx.0 255.255.255.0
Re: Pix and split tunnel
12 years 8 months ago #12071
I've never been a fan of split tunneling - especially when it comes to higher ups. About 99.99997% (look - something that actually qualifies as Six Sigma!) of 'higher-ups' are clueless when it comes to security of their laptops, files, home networks, etc. Many of them have kids who are at a minimum cocky script-kiddies... so they are constantly playing around in things they have no clue about (viruses, etc.), essentially raising the risk to the corporate asset.
When split tunneling is permitted, the asset is at risk from the local network/internet connection. With split tunnel disabled, while the asset is VPN'ed into corporate, the asset is not accessible from the local network it is on.
Real attackers (as opposed to the higher-up's kids), know that split tunneling is still being used by companies, and will attempt to penetrate the wireless network of said higher-up and compromise the corporate asset and get to documents stored locally on that asset (since we know higher-ups have no clue about server storage and shared drives).
While it is true that the higher-up will not be using his/her local internet connection directly for browsing non-corporate sites with split tunneling disabled, it is possible (and becoming very common) for companies to let their VPN users browse the web via the VPN tunnel (something I have been doing for a very long time now).
When split tunneling is off, all traffic to and from the vpn device must go through the tunnel - no matter what destination IP address. At the VPN head-end, whether it be a PIX, or a dedicated VPN concentrator like the Cisco VPN 3000 series, you route the internet based traffic out of the corporate internet connection, just like any other internally connected user. Advantage: You can now enforce your corporate browsing polcies/logging/filtering against VPN'ed users too!
What stinks for the vpn'ed users (and the complaint I hear the most) is that they can't print to their local network printer. My response? Boo-hoo! Thank God for USB!
Of course, if the user is not VPN'ed in, but they leave their PC turned on, it is obviously attackable - that's when personal firewalls and the like are useful.
Anyway - my 2 cents...
Re: Pix and split tunnel
12 years 7 months ago #12274
I would totally agree with you TGC. This is my deal though. The interface that accepts the vpn connection is also the interface that leads to the internet router. Pix will not allow something to come in one interface and back out the same way correct? or am i totally off base with this.