Security risks of split tunnel

Discussion in 'Cisco' started by rhltechie, Dec 14, 2005.

  1. rhltechie

    rhltechie Guest

    Hi All,

    I currently run a pix 515 and use it for vpn access. my users want the
    ability to print locally as well as use the internet while on the vpn.
    i know i can use split tunnel, but i realize the security risk. can
    anyone tell me exactly how big of a risk this is? ways to get around
    this? also, we are thinking about a concentrator. would having a
    concentrator solve this issue?


    rhltechie, Dec 14, 2005
    1. Advertisements

  2. The extent of the risk depends on how fine-grained the exemption is.

    If your users are using Windows, they are probably using netbios
    type print services internally, which requires opening a fair set of
    ports. Those ports also happen to be the ones most likely to be attacked
    by a virus or trojan, which could then "remote-control" the session
    to attack your server network.

    The risk could be reduced noticably if your users were using
    Berkeley lpd printing -- that's only a single port, and not one
    of the ones more commonly attacked. But setting up lpd services
    requires installing windows services, and I rarely see
    Windows printer drivers that offer lpd as one of their connection
    varieties. There does not appear to be a Windows "printcap", so
    my suspicion is that if the printers aren't Postscript or HPGL3 then
    You Would Not Enjoy (SM) the setup work involved.

    If I recall correctly, PIX 6.x whines about split tunnels that are
    specified down to the port level; I seem to recall that going below
    the 'ip' level wasn't possible until PIX 6.2, and going to the port
    level was (if I recall correctly) not possible until PIX 6.3.
    In a word, "No".
    Walter Roberson, Dec 14, 2005
    1. Advertisements

  3. rhltechie

    Martin Kayes Guest


    Walter's comments best sum up the issues.

    The best thing is to have them go through your proxy server (if you have
    one). I had a situation where a customer wanted to do this but the users
    also wanted to access the Internet when not on the VPN and the proxy
    settings became a nuisance.

    What we did was create two icons on the desktop with the IE icon. One was
    called work internet and one was called personal internet. These shortcuts
    were to batch files that ran a .reg file to enter proxy settings into the
    registry then also loaded internet explorer. The work .bat put the proxy
    entries in and the personal .bat took them out.

    It's not a perfect solution but it is a free work-around!


    Martin Kayes, Dec 15, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.