split tunnel
When is it appropreiate to use a split tunnel in a IPSEC vpn design?
I would think when the dest traffic is ssl\tls.
I would think when the dest traffic is ssl\tls.
just trying to keep it all in perspective!
Comments
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□My answer would be "never". A split tunnel could give someone a back door into a private network the same way a multihomed computer with a NIC on the corporate LAN and a modem dialed up to AOL at the same time could.
I could be missing something though.All things are possible, only believe. -
JDMurray Admin Posts: 13,089 AdminSplit-tunneling allow both encrypted and unencrypted traffic to pass through the same VPN tunnel. With split-tunneling a VPN client can connect to both a secure LAN and the insecure public Internet at the same time and using the same network connection. If the host initializing the VPN connection is not running a firewall, threats from the insecure network can get to the secure network through the host. This is about the same security problem with computers in a DMZ also having connections to hosts on a private LAN.
-
Ahriakin Member Posts: 1,799 ■■■■■■■■□□While usually associated with Internet access you can also use Split Tunneling to allow local/corporate LAN access at the same time as the VPN tunnel, many vendors have separate terms/configuration options for this type of traffic but in essence it is still Split tunneling. As suggested above avoid it when possible, but if you have to use network lists to restrict the Split traffic to trusted networks only (that in turn do not have backdoors) and fight to the death before allowing it to the internet (we will remember you well ).We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
-
larkspur Member Posts: 235use network lists to restrict the Split traffic to trusted networks only (that in turn do not have backdoors) and fight to the death before allowing it to the internet (we will remember you well
exactly what i was intending to do. Not sure why soemone would sling the door wide adn not use a fw in addtion to.... but I guess we would be surprised by our findings.....
I plan to only allow access to trusted ssl sites be split off and all other packets traverse the tunnel.
Part of my reasoning is this will make HA easier in an environment that is webcentric.
very nice discussion...just trying to keep it all in perspective!