sure, but taking that less than secure computer, and hooking up to your corporate network, opens the corporate network to backdoor access from the internet. hence the advisability of disabling split tunneling during VPN connectivity to corporate nets.
it's not an IPSec issue. It's a best practice issue. Chuck ""Lidiya White"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > If you want your VPN client to have Internet connectivity while VPN > tunnel is up, the solutions is the split tunnel configuration. > PIX will push an access-list to a client, so only traffic between your > private networks will flow through the tunnel, but the rest will go out > to the Internet unencrypted. > I work with Microsoft, Cisco VPN and IRE clients, and I don't really > know what security holes people were talking about. No matter what, when > a computer has a connection to the Internet, it's already a "security > hole" right there. I don't see how adding IPSec on the client, will make > it less secure. As far as decreased security for the LAN behind the PIX, > again, I don't see a major hole there. > As far as Microsoft client goes, it doesn't have as strong encryption as > Cisco client does. > > Example: > http://www.cisco.com/warp/public/110/pix3000.html > (search for "split"). > > > -- Lidiya White > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > Mark Odette II > Sent: Friday, April 26, 2002 11:20 AM > To: [EMAIL PROTECTED] > Subject: RE: Alternatives to Cisco VPN client [7:42604] > > what's the security risk?.... > > (putting on learning cap now... :) ) > > Mark > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Louie Belt > Sent: Thursday, April 25, 2002 8:12 PM > To: [EMAIL PROTECTED] > Subject: RE: Alternatives to Cisco VPN client [7:42604] > > > You are creating a security risk for the other end of the tunnel when > you > are using split-tunneling from your client. > > louieb > > > > -----Original Message----- > From: Craig Columbus [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 25, 2002 6:49 PM > To: [EMAIL PROTECTED] > Subject: RE: Alternatives to Cisco VPN client [7:42604] > > > Thanks for the responses. > > I'm aware of split tunneling with a concentrator. That's not what I > want. > I'm looking for something that lets me connect to any IPSEC compliant > endpoint, whether it's a PIX, a router, or a Linux box. In other words, > the client shouldn't care what it's connecting to. It should only care > whether the traffic has a destination within the remote network or not. > If > so, send through tunnel, if not, send to Internet. > > Hope this helps clarify. > > Thanks! > Craig > > At 07:39 PM 4/25/2002 -0400, you wrote: > >You can definitely do this using the Cisco VPN client. This is a policy > push > >from the concentrator. If you would like split-tunneling you need to > enable > >that on the concentrator to allow the clients to do that. > > > >http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel3_5_1/adm > in_g > d > >/vca.pdf > > > >Tim > >CCIE 9015 > > > > > >-----Original Message----- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > >Craig Columbus > >Sent: Thursday, April 25, 2002 6:25 PM > >To: [EMAIL PROTECTED] > >Subject: Alternatives to Cisco VPN client [7:42604] > > > > > >Let me preface this by saying that all of my VPN experience has been > either > >peer-peer or client to peer with the Cisco VPN client 1.x or 3.x. > Please > >ignore my ignorance if I've missed something obvious. > > > >I've got a major complaint with the Cisco VPN client. It's not smart > >enough to differentiate local traffic/Internet traffic from VPN > >traffic. Therefore, you can't browse the Internet and your VPN network > at > >the same time. > >I'm looking for alternative software clients that are smart enough to > say > >"Ok. Any traffic destined for 10.x.x.x (or whatever you define VPN > traffic > >to be) goes to the tunnel. If the traffic has any destination other > than > >10.x.x.x, it's treated as if the tunnel weren't even present." This > would > >allow my client machine to easily browse the Internet and the VPN > remote > >network at the same time. > >I've done some preliminary searches for third-party clients, but don't > want > >to waste time trying 50 clients that may not be any good. I've found > some > >for Mac OS X that'll do what I want, but I haven't found one for Win > >9x/ME/NT/2K/XP. > >There's got to be a decent client that does this. > >Sorry for rambling.... :-) It's been a long day. > > > >As usual, thanks in advance to everyone. > > > >Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42697&t=42604 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
