IMHO - it is all a question of usability/functionality vs. security ...
Ideally (from a security perspective) - you would not split tunnel; as the
hosts are then, in effect, multi-homed. In fact, ideally, you wouldn't VPN
at all ;>
However, in the real world, there are issues with not using split tunnels -
Bandwidth utilization - every VPN user would be sending all traffic
to you ... may hit limits on VPN Concentrator, may overload your circuits,
would use more NAT/PAT resources, etc.
Work requirements - users may require ability to access local
servers as well as servers via the VPN ... in fact, users may have multiple
VPN's running at once (using non-cisco client).
You can also mitigate many of the security concerns with VPN's in general by
following other current-best-practices ... POLP, Layered defense,
auditing/accountability, default-deny policies/access-control, etc. etc.
Thanks!
TJ
-----Original Message-----
From: Mark W. Odette II [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 16, 2003 10:13 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco VPN Question [7:61148]
> Split tunneling has been enabled up until now.
Does this mean you have recently DISabled split tunneling??
If not, does the newest client 3.6? have a function for keeping traffic
sourced from the internet from using the Split-tunneling host from
acting as a mirror to breach the corporate network??
>From what I understand, enabling the Split Tunnel feature is a BAD
option, Cisco just created it for those clients that didn't want their
remote users surfing the net via the corporate network.
Can anybody clarify on any of these points??
-Mark
-----Original Message-----
From: Kim Graham [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 16, 2003 5:57 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco VPN Question [7:61148]
Basically it performs as per stated. We have VPN users that come into
our
concentrator from all over North American and abroad. They have used a
variety of cable, dsl, dial-up providers and for the most part do not
have
any issues. Split tunnelling has been enabled up until now.
As for private networks (home networks) we have some home users
utilizing
Nexlands and Ugates and probably other "Internet Sharing Boxes". Some
cable
companies have had compatibiity issues with this but I believe the most
recent version of software on those boxes has corrected the problem. As
a
test while at Nanog I was able to log into my internal network from a
wireless laptop.
All and all it is a pretty solid client.
Kim / Zukee
******************************************************************************
The information in this email is confidential and may be legally
privileged. Access to this email by anyone other than the
intended addressee is unauthorized. If you are not the intended
recipient of this message, any review, disclosure, copying,
distribution, retention, or any action taken or omitted to be taken
in reliance on it is prohibited and may be unlawful. If you are not
the intended recipient, please reply to or forward a copy of this
message to the sender and delete the message, any attachments,
and any copies thereof from your system.
******************************************************************************
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61212&t=61148
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
