I certainly appreciate the security risks. However, there are some circumstances where the risks are reduced (notice I'm not saying eliminated) by circumstance. For example, many clients are behind hardware firewalls that allow only designated inbound traffic (forget about tunneling at the firewall for the moment). Additionally, the clients are kept strictly updated with antivirus/trojan detection software. Also, the VPN client itself could be combined with a local personal firewall function, much like the Cisco VPN 3.5 client tries to do with it's stateful inspection feature. I don't see much security difference between a properly configured client allowing this connection and a router-router peer VPN setup that tunnels based on destination address. Of course the routers have access lists controlling tunnel access, but clients could have effectively the same control with proper software installed. I'm not necessarily debating whether this *should* be done. It's really up to the individual admin to determine. In some cases the security risk is too great, in other situations, it's perfectly acceptable. I just want to see the functionality available.
At 08:35 PM 4/25/2002 -0400, you wrote: >On Sep 15, 1:00pm, "Craig Columbus" wrote: >} >} I've got a major complaint with the Cisco VPN client. It's not smart >} enough to differentiate local traffic/Internet traffic from VPN >} traffic. Therefore, you can't browse the Internet and your VPN network at >} the same time. > > It is. However, the server gets to decide if it will. Doing so, >is opening yourself to a great big security hole. Most desktops aren't >properly locked down. If a desktop is allowed to use a VPN tunnel and >the general internet at the same time, then you are opening the >protected network to being hacked by somebody hopping through the >desktop. Do you really want to do this? > >} I've done some preliminary searches for third-party clients, but don't >want >} to waste time trying 50 clients that may not be any good. I've found some >} for Mac OS X that'll do what I want, but I haven't found one for Win >} 9x/ME/NT/2K/XP. > > Win 2K/XP come with IPSec built-in and don't really need a >client. Max OSX may have it built-in as well. > >}-- End of excerpt from "Craig Columbus" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42632&t=42604 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
