[vpn] will split tunneling do the trick? - a better solution

Leslie McIntosh lesliemcintosh at yahoo.com
Wed May 8 01:48:20 EDT 2002 

Upgrade the IOS of the router to IPSec and FW.  Cisco
has a writeup on this on thier website.  The Cisco
1710 router has this all built in on one router with
VPN hardware encrypt/decrypt.

Les

--- TKoopman at SonicWALL.com wrote:
> This is where the integrated firewall/vpn devices
> come into play.  
> 
> With an appliance you can get a integrated and
> remotely manageable CPE solution.  Generally these
> solutions can give you additional features like
> tunnel heartbeats to auto-negotiate your vpn
> network.  Since they are also firewalls, you do not
> need to worry about allowing split-tunneling.  
> 
> Add to this removing any software components that
> are inherently out of your control on these remote
> desktops and you have a cleaner solution with a
> lower TCO.
> 
> Todd Koopman
> SonicWALL
> 
> -----Original Message-----
> From: Jose Muniz [mailto:jmuniz at loudcloud.com]
> Sent: Tuesday, May 07, 2002 1:17 PM
> To: Kevin_Butters at NAI.com
> Cc: yao.tsikata at wcom.com; afalkovich at lnc.com;
> VPN at securityfocus.com
> Subject: Re: [vpn] will split tunneling do the
> trick?
> 
> 
> I disagree with you 100%
> I thought that Split Horizon has nothing to do with
> IPSec and a lot to do
> with some
> old routing protocol?  is that right?  RIP maybe?
> 
> And I think that placing a VPN in parallel to any
> firewall is just not
> the way to go:
> 1.]  Security, if you have a complex multitunnel
> network then your IKE
> policies,
>       will be quite unmanageable,. Even if they were
> manageable, which
> they are for a huge
>       complexity increase, it is not very good idea.
> 2.]  Now you have a routing problem so you will have
> to also implement
> Nat Pools or
>       PAT of incoming traffic via VPN, masquerading
> as the inside
> interface....
> 
> Just a different perspective that is all..
> 
> Jose.
> 
> Kevin_Butters at NAI.com wrote:
> 
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Big caveat here. Think this one through. What you
> want to eliminate
> > is the inability of your users to maintain a Split
> Horizon. This is
> > very dangerous. With a Split Horizon, external
> clients could be
> > compromised, thus allowing an attacker transparent
> access to your
> > company LAN.
> >
> > What I might recommend is to run your VPN gateway
> in parallel with
> > your f/w if possible. Require that all packets be
> forwarded
> > internally and thereafter require Internet traffic
> to go through your
> > f/w.
> >
> > Kevin Butters
> > Security Engineer
> > PGP Fingerprint
> > 7AB4 5B76 5FEB 42FD 13A5  0BA6 6DDF 11A5 6570 CE07
> >
> > - -----Original Message-----
> > From: Yao Tsikata [mailto:yao.tsikata at wcom.com]
> > Sent: Tuesday, May 07, 2002 11:32 AM
> > To: 'Alex Falkovich'; VPN at securityfocus.com
> > Subject: RE: [vpn] will split tunneling do the
> trick?
> >
> > Alex,
> > Without having enough information about the way
> your network is
> > set-up, I
> > believe this issue would be a simple matter of
> placing ACLs on the
> > router to
> > filter HTTP traffic. Your vendor should be able to
> do this. Again my
> > answer
> > is based on the limited information you have
> provided.
> > thanks
> > Yao
> >
> > - -----Original Message-----
> > From: Alex Falkovich [mailto:afalkovich at lnc.com]
> > Sent: Tuesday, May 07, 2002 12:53 PM
> > To: VPN at SECURITYFOCUS.COM
> > Subject: [vpn] will split tunneling do the trick?
> >
> > We have a VPN in place managed by the vendor. It's
> pretty much all
> > CISCO
> > gear with the 2600 router in the Home Office. When
> our remote users
> > launch
> > up the IPSec client and authenticate to the
> services (create the
> > tunnel), it
> > pretty much locks them out of using the Inet.  We
> need to have the
> > users
> > interoperate between creating the tunnel and
> surfing the Inet from
> > the same
> > desktop. Our vendor claims it's not possible with
> the current setup.
> >
> > Does anybody have any suggestions on how this
> could be accomplished?
> >
> > Thanks.
> >
> > Alex Falkovich
> > Technology Services
> > Lincoln Financial Group
> > afalkovich at lnc.com
> >
> > VPN is sponsored by SecurityFocus.com
> >
> > VPN is sponsored by SecurityFocus.com
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 7.1.1
> >
> >
>
iQEVAwUBPNggW23fEaVlcM4HAQI7UQf+PTb9uM2n+BRUW6GkM3142DMi94vBv6lS
> >
>
OD8pPdYH5Gfc0NahpkL+v4e663FCWK0zpMKYMqxeJ5Ck+1ua0APMDL6yGDOB94+W
> >
>
nxWgcXeh+pC4BuDKCUoOTVHtOLjDCy1rPj7jn4hZC3c4H6HIrzucRq4vlgn5OSxL
> >
>
fHdIk9Fa2EiO3pMIrkTfdaeLt/gR8f0aNots2oqxeVUTTStskrCrhEyfKo9cN5FW
> >
>
evgV7fK6hOKLPjXZwf6hEHVKF9zsWGOcO6TDabacKxFhcBfWE22bTmWWD6BRvL46
> >
>
c7r7He66mG9dVB1ZzAwXpmxTmOyxzcYl8gdonAJkUkirFVr9+0mdOQ==
> > =hDRd
> > -----END PGP SIGNATURE-----
> >
> > VPN is sponsored by SecurityFocus.com
> 
> 
> VPN is sponsored by SecurityFocus.com
> 
> 
> VPN is sponsored by SecurityFocus.com
> 


=====
Leslie McIntosh
Network Engineer
CCNA, CNE, CNS, A+, Network+ Certified
lesliemcintosh at yahoo.com

__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list