Security risks of split tunnel

Discussion in 'Cisco' started by rhltechie@gmail.com, Dec 14, 2005.

  1. Guest

    Hi All,

    I currently run a pix 515 and use it for vpn access. my users want the
    ability to print locally as well as use the internet while on the vpn.
    i know i can use split tunnel, but i realize the security risk. can
    anyone tell me exactly how big of a risk this is? ways to get around
    this? also, we are thinking about a concentrator. would having a
    concentrator solve this issue?

    TIA,

    K
    , Dec 14, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >I currently run a pix 515 and use it for vpn access. my users want the
    >ability to print locally as well as use the internet while on the vpn.
    >i know i can use split tunnel, but i realize the security risk. can
    >anyone tell me exactly how big of a risk this is? ways to get around
    >this?


    The extent of the risk depends on how fine-grained the exemption is.

    If your users are using Windows, they are probably using netbios
    type print services internally, which requires opening a fair set of
    ports. Those ports also happen to be the ones most likely to be attacked
    by a virus or trojan, which could then "remote-control" the session
    to attack your server network.

    The risk could be reduced noticably if your users were using
    Berkeley lpd printing -- that's only a single port, and not one
    of the ones more commonly attacked. But setting up lpd services
    requires installing windows services, and I rarely see
    Windows printer drivers that offer lpd as one of their connection
    varieties. There does not appear to be a Windows "printcap", so
    my suspicion is that if the printers aren't Postscript or HPGL3 then
    You Would Not Enjoy (SM) the setup work involved.


    If I recall correctly, PIX 6.x whines about split tunnels that are
    specified down to the port level; I seem to recall that going below
    the 'ip' level wasn't possible until PIX 6.2, and going to the port
    level was (if I recall correctly) not possible until PIX 6.3.

    >also, we are thinking about a concentrator. would having a
    >concentrator solve this issue?


    In a word, "No".
    --
    I was very young in those days, but I was also rather dim.
    -- Christopher Priest
    Walter Roberson, Dec 14, 2005
    #2
    1. Advertising

  3. Martin Kayes Guest

    Hi,

    Walter's comments best sum up the issues.

    The best thing is to have them go through your proxy server (if you have
    one). I had a situation where a customer wanted to do this but the users
    also wanted to access the Internet when not on the VPN and the proxy
    settings became a nuisance.

    What we did was create two icons on the desktop with the IE icon. One was
    called work internet and one was called personal internet. These shortcuts
    were to batch files that ran a .reg file to enter proxy settings into the
    registry then also loaded internet explorer. The work .bat put the proxy
    entries in and the personal .bat took them out.

    It's not a perfect solution but it is a free work-around!

    Regards,

    Martin




    <> wrote in message
    news:...
    > Hi All,
    >
    > I currently run a pix 515 and use it for vpn access. my users want the
    > ability to print locally as well as use the internet while on the vpn.
    > i know i can use split tunnel, but i realize the security risk. can
    > anyone tell me exactly how big of a risk this is? ways to get around
    > this? also, we are thinking about a concentrator. would having a
    > concentrator solve this issue?
    >
    > TIA,
    >
    > K
    >
    Martin Kayes, Dec 15, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,094
  2. Babak Majidi
    Replies:
    3
    Views:
    604
    Babak Majidi
    Feb 6, 2006
  3. Imhotep

    More tech fails to exorcise security risks

    Imhotep, Sep 14, 2005, in forum: Computer Security
    Replies:
    7
    Views:
    496
    Imhotep
    Sep 15, 2005
  4. dfox138
    Replies:
    5
    Views:
    5,412
    Winged
    Jan 5, 2006
  5. Dumbell

    a split is not a split

    Dumbell, Mar 9, 2009, in forum: Computer Support
    Replies:
    3
    Views:
    527
    Keyser Söze
    Mar 9, 2009
Loading...

Share This Page