split tunnel

larkspur

When is it appropreiate to use a split tunnel in a IPSEC vpn design?

I would think when the dest traffic is ssl\tls.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

sprkymrk

My answer would be "never". A split tunnel could give someone a back door into a private network the same way a multihomed computer with a NIC on the corporate LAN and a modem dialed up to AOL at the same time could.

I could be missing something though.

JDMurray

Split-tunneling allow both encrypted and unencrypted traffic to pass through the same VPN tunnel. With split-tunneling a VPN client can connect to both a secure LAN and the insecure public Internet at the same time and using the same network connection. If the host initializing the VPN connection is not running a firewall, threats from the insecure network can get to the secure network through the host. This is about the same security problem with computers in a DMZ also having connections to hosts on a private LAN.

Ahriakin

While usually associated with Internet access you can also use Split Tunneling to allow local/corporate LAN access at the same time as the VPN tunnel, many vendors have separate terms/configuration options for this type of traffic but in essence it is still Split tunneling. As suggested above avoid it when possible, but if you have to use network lists to restrict the Split traffic to trusted networks only (that in turn do not have backdoors) and fight to the death before allowing it to the internet (we will remember you well

larkspur

use network lists to restrict the Split traffic to trusted networks only (that in turn do not have backdoors) and fight to the death before allowing it to the internet (we will remember you well

exactly what i was intending to do. Not sure why soemone would sling the door wide adn not use a fw in addtion to.... but I guess we would be surprised by our findings.....

I plan to only allow access to trusted ssl sites be split off and all other packets traverse the tunnel.

Part of my reasoning is this will make HA easier in an environment that is webcentric.

very nice discussion...