Re: [Pauldotcom] VPN Split DNS

[Chris Campbell]

I would agree with Andrew, it sounds like you are referring to split tunneling not split DNS. You need to assess the differences in client access when connected with a full tunnel vs. a split tunnel. For example, if a compromised host connects to the VPN, can it establish a connection back to a command+control server whilst the VPN is live? It's easy to assume the it won't be able to with a full tunnel but this may be unrealistic if your proxy policy is weak. You may also have a local proxy in the branch office in which case the security controls on the client's outbound connections are the same whether connected via full or split tunnel. If the clients are accessing resources (printers etc.) on the branch local subnet then you can allow access to that subnet only and nothing on the other side of the client's default gateway. You could also create a policy that only enables split tunnelling if the client connects from a branch office IP (external NAT IP, not client IP) to guard against users connecting from home. Andrew Johnson 5 March 2013 05:27 I believe you're referring to split tunneling. In short, if split tunneling is enabled and that host is compromised, it may be possible to pivot through that host and gain access to the resources behind the VPN. Such a scenario would undermine multi-factor authentication and other controls you've put in place. Andrew Johnson (Sent from my mobile device) _______________________________________________ Pauldotcom mailing list Pauldotcom@mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com Matthew Perry 5 March 2013 04:59 All,  We have some branch offices that connect to a client VPN in our datacenter to access certain resources.  Currently we are sending all traffic through the VPN when they connect, but this keeps them from being able to access resources on their network. What are the security concerns of using split DNS to allow them to access their local resources and the resources in the datacenter?  I currently work with an admin who thinks it is a very bad idea to use split DNS, but can't really give me any examples of why.  Thanks and I look forward to everyones responses. -- Matthew Perry _______________________________________________ Pauldotcom mailing list Pauldotcom@mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom@mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com