[vpn] will split tunneling do the trick? - a better solution

TKoopman at SonicWALL.com TKoopman at SonicWALL.com
Tue May 7 16:38:37 EDT 2002


This is where the integrated firewall/vpn devices come into play.  

With an appliance you can get a integrated and remotely manageable CPE solution.  Generally these solutions can give you additional features like tunnel heartbeats to auto-negotiate your vpn network.  Since they are also firewalls, you do not need to worry about allowing split-tunneling.  

Add to this removing any software components that are inherently out of your control on these remote desktops and you have a cleaner solution with a lower TCO.

Todd Koopman
SonicWALL

-----Original Message-----
From: Jose Muniz [mailto:jmuniz at loudcloud.com]
Sent: Tuesday, May 07, 2002 1:17 PM
To: Kevin_Butters at NAI.com
Cc: yao.tsikata at wcom.com; afalkovich at lnc.com; VPN at securityfocus.com
Subject: Re: [vpn] will split tunneling do the trick?


I disagree with you 100%
I thought that Split Horizon has nothing to do with IPSec and a lot to do
with some
old routing protocol?  is that right?  RIP maybe?

And I think that placing a VPN in parallel to any firewall is just not
the way to go:
1.]  Security, if you have a complex multitunnel network then your IKE
policies,
      will be quite unmanageable,. Even if they were manageable, which
they are for a huge
      complexity increase, it is not very good idea.
2.]  Now you have a routing problem so you will have to also implement
Nat Pools or
      PAT of incoming traffic via VPN, masquerading as the inside
interface....

Just a different perspective that is all..

Jose.

Kevin_Butters at NAI.com wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Big caveat here. Think this one through. What you want to eliminate
> is the inability of your users to maintain a Split Horizon. This is
> very dangerous. With a Split Horizon, external clients could be
> compromised, thus allowing an attacker transparent access to your
> company LAN.
>
> What I might recommend is to run your VPN gateway in parallel with
> your f/w if possible. Require that all packets be forwarded
> internally and thereafter require Internet traffic to go through your
> f/w.
>
> Kevin Butters
> Security Engineer
> PGP Fingerprint
> 7AB4 5B76 5FEB 42FD 13A5  0BA6 6DDF 11A5 6570 CE07
>
> - -----Original Message-----
> From: Yao Tsikata [mailto:yao.tsikata at wcom.com]
> Sent: Tuesday, May 07, 2002 11:32 AM
> To: 'Alex Falkovich'; VPN at securityfocus.com
> Subject: RE: [vpn] will split tunneling do the trick?
>
> Alex,
> Without having enough information about the way your network is
> set-up, I
> believe this issue would be a simple matter of placing ACLs on the
> router to
> filter HTTP traffic. Your vendor should be able to do this. Again my
> answer
> is based on the limited information you have provided.
> thanks
> Yao
>
> - -----Original Message-----
> From: Alex Falkovich [mailto:afalkovich at lnc.com]
> Sent: Tuesday, May 07, 2002 12:53 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: [vpn] will split tunneling do the trick?
>
> We have a VPN in place managed by the vendor. It's pretty much all
> CISCO
> gear with the 2600 router in the Home Office. When our remote users
> launch
> up the IPSec client and authenticate to the services (create the
> tunnel), it
> pretty much locks them out of using the Inet.  We need to have the
> users
> interoperate between creating the tunnel and surfing the Inet from
> the same
> desktop. Our vendor claims it's not possible with the current setup.
>
> Does anybody have any suggestions on how this could be accomplished?
>
> Thanks.
>
> Alex Falkovich
> Technology Services
> Lincoln Financial Group
> afalkovich at lnc.com
>
> VPN is sponsored by SecurityFocus.com
>
> VPN is sponsored by SecurityFocus.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1.1
>
> iQEVAwUBPNggW23fEaVlcM4HAQI7UQf+PTb9uM2n+BRUW6GkM3142DMi94vBv6lS
> OD8pPdYH5Gfc0NahpkL+v4e663FCWK0zpMKYMqxeJ5Ck+1ua0APMDL6yGDOB94+W
> nxWgcXeh+pC4BuDKCUoOTVHtOLjDCy1rPj7jn4hZC3c4H6HIrzucRq4vlgn5OSxL
> fHdIk9Fa2EiO3pMIrkTfdaeLt/gR8f0aNots2oqxeVUTTStskrCrhEyfKo9cN5FW
> evgV7fK6hOKLPjXZwf6hEHVKF9zsWGOcO6TDabacKxFhcBfWE22bTmWWD6BRvL46
> c7r7He66mG9dVB1ZzAwXpmxTmOyxzcYl8gdonAJkUkirFVr9+0mdOQ==
> =hDRd
> -----END PGP SIGNATURE-----
>
> VPN is sponsored by SecurityFocus.com


VPN is sponsored by SecurityFocus.com


VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list