The issue isn't with IPSec per se, its with allowing split tunneling. If a user PC becomes compromised via a trojan that allows remote control such as BackOrifice, Netbus, etc., if you allow split tunneling then not only can the attacker control the users machine, they can use it as a jumping off point into the the corporate network. If split tunneling is disabled, then the attacker would not be able to connect to the users machine while the user was connected via the VPN. Personal firewall software can assist with this, but many corporations still don't allow split tunneling because of this issue since it is very difficult to keep a home users PC's reasonably secure.
Regards, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lidiya White Sent: Friday, April 26, 2002 3:34 PM To: [EMAIL PROTECTED] Subject: RE: Alternatives to Cisco VPN client [7:42604] If you want your VPN client to have Internet connectivity while VPN tunnel is up, the solutions is the split tunnel configuration. PIX will push an access-list to a client, so only traffic between your private networks will flow through the tunnel, but the rest will go out to the Internet unencrypted. I work with Microsoft, Cisco VPN and IRE clients, and I don't really know what security holes people were talking about. No matter what, when a computer has a connection to the Internet, it's already a "security hole" right there. I don't see how adding IPSec on the client, will make it less secure. As far as decreased security for the LAN behind the PIX, again, I don't see a major hole there. As far as Microsoft client goes, it doesn't have as strong encryption as Cisco client does. Example: http://www.cisco.com/warp/public/110/pix3000.html (search for "split"). -- Lidiya White -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Odette II Sent: Friday, April 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Alternatives to Cisco VPN client [7:42604] what's the security risk?.... (putting on learning cap now... :) ) Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Louie Belt Sent: Thursday, April 25, 2002 8:12 PM To: [EMAIL PROTECTED] Subject: RE: Alternatives to Cisco VPN client [7:42604] You are creating a security risk for the other end of the tunnel when you are using split-tunneling from your client. louieb -----Original Message----- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 6:49 PM To: [EMAIL PROTECTED] Subject: RE: Alternatives to Cisco VPN client [7:42604] Thanks for the responses. I'm aware of split tunneling with a concentrator. That's not what I want. I'm looking for something that lets me connect to any IPSEC compliant endpoint, whether it's a PIX, a router, or a Linux box. In other words, the client shouldn't care what it's connecting to. It should only care whether the traffic has a destination within the remote network or not. If so, send through tunnel, if not, send to Internet. Hope this helps clarify. Thanks! Craig At 07:39 PM 4/25/2002 -0400, you wrote: >You can definitely do this using the Cisco VPN client. This is a policy push >from the concentrator. If you would like split-tunneling you need to enable >that on the concentrator to allow the clients to do that. > >http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel3_5_1/adm in_g d >/vca.pdf > >Tim >CCIE 9015 > > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Craig Columbus >Sent: Thursday, April 25, 2002 6:25 PM >To: [EMAIL PROTECTED] >Subject: Alternatives to Cisco VPN client [7:42604] > > >Let me preface this by saying that all of my VPN experience has been either >peer-peer or client to peer with the Cisco VPN client 1.x or 3.x. Please >ignore my ignorance if I've missed something obvious. > >I've got a major complaint with the Cisco VPN client. It's not smart >enough to differentiate local traffic/Internet traffic from VPN >traffic. Therefore, you can't browse the Internet and your VPN network at >the same time. >I'm looking for alternative software clients that are smart enough to say >"Ok. Any traffic destined for 10.x.x.x (or whatever you define VPN traffic >to be) goes to the tunnel. If the traffic has any destination other than >10.x.x.x, it's treated as if the tunnel weren't even present." This would >allow my client machine to easily browse the Internet and the VPN remote >network at the same time. >I've done some preliminary searches for third-party clients, but don't want >to waste time trying 50 clients that may not be any good. I've found some >for Mac OS X that'll do what I want, but I haven't found one for Win >9x/ME/NT/2K/XP. >There's got to be a decent client that does this. >Sorry for rambling.... :-) It's been a long day. > >As usual, thanks in advance to everyone. > >Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42807&t=42604 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
