Re: [Pauldotcom] VPN Split DNS

[wynn]

Some vpn have a concept of inverse split tunnelling. It implements a policy as follows: 'I am the VPN terminator. I have a kernel driver on your PC. All your packets are belong to the tunnel except specific IP addresses, as dictated by me.' Regarding DNS... If you are not allowing split tunnelling then you are backhauling all surfing through your vpn terminator, so I hope you are also doing some content inspection, spoofing ssl and re-encryptiong so you csn inspect that too. You're not? Oh well. Dont sweat spit tunnelling that much then. And in some cases IP:protocol destinations can be done with client policy enabled. So if you wan to allow 9100/udp to your local inkjet, tell'em its gotta be on 10.1.1.69 or no printy.  This works nicely on Avaya / Nortel when coupled with GPO and windows firewall when those PCs are on your domain. It wont work for your C=64 though (byod ya know). Nothing is perfect, but there is something to be said for being somewhere far away from the extremes of gross negligence and preventing all IT services altogether. Like allowing some use, but monitoring and managing the risk. As usual, YMMV depending in risk appetite, business need and threat environment. W Sent from my BlackBerryΒ� PlayBookβ„’ www.blackberry.com From: "Colin Edwards" <colin.p.edwa...@gmail.com> To: "'PaulDotCom Security Weekly Mailing List'" <pauldotcom@mail.pauldotcom.com> Sent: March 5, 2013 9:34 AM Subject: Re: [Pauldotcom] VPN Split DNS β€œSimple question: does the "datacenter" network want to trust the entire remote network?  If so, go for split tunneling.  If there is anything on the remote network that you dont want to trust, disallow split tunneling.”   And to add to that, if your branch office’s network can’t be trusted, then it’s probably time to address the security of that network.  I expect admins to disable split tunneling when host are connecting from potentially hostile networks (i.e. an employee’s home network where there is no knowledge or control over the security of the other hosts or firewall on that network).  But if there are concerns about your branch office’s network being hostile, then the first step should be implementing some baseline security requirements so all of your networks can be considered trusted.         From: pauldotcom-boun...@mail.pauldotcom.com [mailto:pauldotcom-boun...@mail.pauldotcom.com] On Behalf Of Herndon Elliott Sent: Tuesday, March 05, 2013 7:53 AM To: pauldotcom@mail.pauldotcom.com Subject: Re: [Pauldotcom] VPN Split DNS   > Subject: [Pauldotcom] VPN Split DNS > Message-ID: CANMo1R4=p-sb22d71opr4uz4czt5pki3ebpzjduk8rvz2-u...@mail.gmail.com > > We have some branch offices that connect to a client VPN in our datacenter > to access certain resources. Currently we are sending all traffic through > the VPN when they connect, but this keeps them from being able to access > resources on their network. >  > What are the security concerns of using split DNS to allow them to access Split DNS = split tunneling, I think you mean.   Simple question: does the "datacenter" network want to trust the entire remote network?  If so, go for split tunneling.  If there is anything on the remote network that you dont want to trust, disallow split tunneling.   My experience is split tunneling is very, very high-risk for the target of the VPN.   Herndon Elliott Madison, Al https://keyserver.pgp.com key ID: 24B60B6150130832 ΞœΞŸΞ›Ξ©Ξ ΛΑΒΕ  "molon labe"

_______________________________________________
Pauldotcom mailing list
Pauldotcom@mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom@mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com