a PC directly connected to the internet at the same time it is directly connected to a corporate network via a VPN allows a malicious user to compromise the pc in any number of well known ways, and thus gain control of the PC and voila! have instant access to the corporate net as well - through a trusted and supposedly secure source!
It is believe that certain well publicized security breaches at Microsoft a year or so ago were the result of this kind of vulnerability. companies concerned with the security of their inside network ( my employer included ) will expressly forbid split tunneling ( the ability to directly connect to the internet while connected to the company via a VPN ). My employer requires us to use a PC based firewall that forbids the creation in connections initiated from the outside. I don't know all the details, because the company in its wisdom has forbidden user access to the firewall - it is well hidden within our NT and 2000 operating systems and I am not enough of a hacker to figure out how to hack it. ;-> the point is that the internet should always be considered hostile, and one should take the appropriate precautions. any dial up or broadband internet user is vulnerable to attack or compromise from the internet. when connecting to a private network via VPN, one should be thinking the same way. JMHO Chuck ""Mark Odette II"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > what's the security risk?.... > > (putting on learning cap now... :) ) > > Mark > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Louie Belt > Sent: Thursday, April 25, 2002 8:12 PM > To: [EMAIL PROTECTED] > Subject: RE: Alternatives to Cisco VPN client [7:42604] > > > You are creating a security risk for the other end of the tunnel when you > are using split-tunneling from your client. > > louieb > > > > -----Original Message----- > From: Craig Columbus [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 25, 2002 6:49 PM > To: [EMAIL PROTECTED] > Subject: RE: Alternatives to Cisco VPN client [7:42604] > > > Thanks for the responses. > > I'm aware of split tunneling with a concentrator. That's not what I want. > I'm looking for something that lets me connect to any IPSEC compliant > endpoint, whether it's a PIX, a router, or a Linux box. In other words, > the client shouldn't care what it's connecting to. It should only care > whether the traffic has a destination within the remote network or not. If > so, send through tunnel, if not, send to Internet. > > Hope this helps clarify. > > Thanks! > Craig > > At 07:39 PM 4/25/2002 -0400, you wrote: > >You can definitely do this using the Cisco VPN client. This is a policy > push > >from the concentrator. If you would like split-tunneling you need to enable > >that on the concentrator to allow the clients to do that. > > > >http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel3_5_1/admin_g > d > >/vca.pdf > > > >Tim > >CCIE 9015 > > > > > >-----Original Message----- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > >Craig Columbus > >Sent: Thursday, April 25, 2002 6:25 PM > >To: [EMAIL PROTECTED] > >Subject: Alternatives to Cisco VPN client [7:42604] > > > > > >Let me preface this by saying that all of my VPN experience has been either > >peer-peer or client to peer with the Cisco VPN client 1.x or 3.x. Please > >ignore my ignorance if I've missed something obvious. > > > >I've got a major complaint with the Cisco VPN client. It's not smart > >enough to differentiate local traffic/Internet traffic from VPN > >traffic. Therefore, you can't browse the Internet and your VPN network at > >the same time. > >I'm looking for alternative software clients that are smart enough to say > >"Ok. Any traffic destined for 10.x.x.x (or whatever you define VPN traffic > >to be) goes to the tunnel. If the traffic has any destination other than > >10.x.x.x, it's treated as if the tunnel weren't even present." This would > >allow my client machine to easily browse the Internet and the VPN remote > >network at the same time. > >I've done some preliminary searches for third-party clients, but don't want > >to waste time trying 50 clients that may not be any good. I've found some > >for Mac OS X that'll do what I want, but I haven't found one for Win > >9x/ME/NT/2K/XP. > >There's got to be a decent client that does this. > >Sorry for rambling.... :-) It's been a long day. > > > >As usual, thanks in advance to everyone. > > > >Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42683&t=42604 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
