Two different networks, one computer ,one vpn

Discussion in 'Cisco' started by rashidaq, Oct 23, 2005.

  1. rashidaq

    rashidaq Guest

    I have this problem with this vpn access

    I am using vpn access to login into a customersite
    using cisco vpn client
    when I do that I lose my company's outlook email so I have
    to wait to logoff to get my company's email and then logon back to the
    customer using vpn

    I am using windows xp pro with one network card.
    It seems to get dns and default router once I login
    to the customer site.

    At company site I dont use vpn I just get DHCP
    IP and I am into my outlook and internet.

    What more frustrating, is once I am vpn'd into customersite
    for twenty hours I cant access the internet.

    thanks in advance, help ..

    Rash
     
    rashidaq, Oct 23, 2005
    #1
    1. Advertisements

  2. Hi,

    You have to setup split tunneling on your concentrator.

    marcial.colomer at gmail

    ha escrito:
     
    marcial_colomer, Oct 23, 2005
    #2
    1. Advertisements

  3. rashidaq

    rashidaq Guest

    How do you split tunneling on what concentrator ?

    Does this mean that I cant do nothing on my computer ?
    to make this happen


    thanks
     
    rashidaq, Oct 23, 2005
    #3
  4. rashidaq

    Ted Nevil Guest

    Hi

    Right, you can't do anything.
    Split tunneling must be configured on the vpn concentrator (where you
    dial in).

    mostly this is disabled for security reason.
     
    Ted Nevil, Oct 25, 2005
    #4
  5. That's by design:

    Once you have your vpn connection open all traffic goes through that vpn
    connection.

    What you want is called "split tunneling" and is a security nightmare.
     
    Martin Bodenstedt, Oct 26, 2005
    #5
  6. But you don't really want to do this (for security reasons):

    You customer's network most likely has a very strict internet policy
    using a firewall, spam and virus checker - and possibly contains
    sensitive data.

    Now You open a remote VPN connection to this network through the
    internet using your own internet connection.

    By design, once the tunnel (your vpn connection that is) is established
    your vpn client blocks all incoming or outgoing traffic on your computer
    except the traffic going through the tunnel. This way your PC (and only
    your PC no matter what else your PC is connected to locally) is made a
    virtual extension to your customer's network.

    Now consider free network access on your PC while the vpn connection is
    open (which is called "split tunneling" because your network access is
    split between the tunnel connection and local network access):

    Suddenly all other PC's on your local network can access the customer's
    network and - which is worse - your customer's network has a rogue
    internet connection (thru your PC) bypassing that network's internet
    access policy.
     
    Martin Bodenstedt, Oct 26, 2005
    #6
  7. Whether the client can do anything depends on the VPN client not on
    the VPN concentrator since it is the VPN client that ultimately
    controls how traffic is routed on the client. Typically if the VPN
    administrator does not want split tunnelling to be used then they
    don't configure on the VPN concentrator and provide a VPN client
    program that provides no way of turning it on.

    However, if the authentication details can be extracted from the VPN
    client then they can be used with a client that does support split
    tunnelling even if the VPN concentrator is not configured to support
    it.

    Not surprisingly such VPN clients are not popular with VPN
    administrators since it allows users to override the administrator's
    policy. So, they can make life difficult by making the authentication
    details hard to extract from the VPN client they provide and/or using
    vendor specific/proprietary authentication mechanisms that other VPN
    clients do not support and/or require that you sign something that
    says you will only use approved software for VPN access.
     
    Stephen J. Bevan, Oct 27, 2005
    #7
  8. Basically yes.

    But depending on the software used the central network admin has the
    control over the client's routing options...
     
    Martin Bodenstedt, Oct 27, 2005
    #8
  9. Isn't that another way of saying what I wrote in the next sentence
    after the one you quoted? That is :-
     
    Stephen J. Bevan, Oct 28, 2005
    #9
  10. How is that going to happen without some serious reconfiguration both
    on your system and its local network? To take some (hypothetical)
    numbers. Your PC has IP address 192.168.0.2 on the local network. When
    you establish the VPN connection to the remote network this allocates
    you IP address 10.0.0.3 on that network.

    If your PC acted as a 'simple' router then any packets it received
    with destination addresses in 10.0.0.0/8 it would send over the VPN
    but with a source address in 192.168.0.0/24 which the remote network
    would not like and will probably be rejected by the firewall in the
    VPN endpoint. Add to that, the other systems (or at least the system
    which is the default route) on the local LAN would have to be setup
    with a static route for 10.0.0.0/8 via your PC.

    For other systems to access the remote network via your PC, not only
    would the static routes have to be set in the local network but your
    PC would have to act as a NATting router and set the source address of
    all packets to 10.0.0.3 before sending over the VPN.

    For your PC to 'leak' the external internet to the remote VPN would
    require even more complex configuration.

    None of these things could happen accidentally. So if you are not
    trusted enough to not deliberately subvert the remote system's
    security then neither should you be trusted enough to have the VPN
    connection to the remote network.
     
    Graham Murray, Oct 29, 2005
    #10
  11. If your PC supports any ability to remotely control it (e.g. telnet,
    ssh, Back Orifice, trojan allowing remote access) from the internet
    then a third party can in theory control your computer. Whether
    theory meets practice depends on exactly what sort of remote control
    software is on your PC, but even usually safe software like ssh has
    had the occasional bug which could be exploited to allow remote
    access.

    So, assuming*** you are running vulnerable remote access software on
    your computer and you have split-tunnelling enabled while connecting
    to your company's internal site then your company's site is now
    accessible to a third party in real-time. If split-tunneling is
    disabled a third party cannot access your company's internal site in
    real-time via your internet connection.

    If real-time access is needed by the third party then the best they
    could do would be to setup some software on your PC that would
    automatically try to create an outbound connection over the VPN to
    another machine they control and then connect back in over that.
    Since that connection has to go via the company's firewall(s) then
    they have the necessary opportunity to block this access e.g. using
    intrusion prevention software.
     
    Stephen J. Bevan, Oct 29, 2005
    #11
  12. The point - from a network administrators point of view - is simply that
    it *can* be done (either actively by a remote user in a "destructive"
    mood or by some imported malware).
    It depends on what you call "accidentally". The point simply is that the
    remote computer connecting via VPN is *not* under the control of the
    corporate network administrator.
     
    Martin Bodenstedt, Oct 31, 2005
    #12
  13. Thanx for so succinctly explaining the point I'm trying to get across
    here ;-)
     
    Martin Bodenstedt, Oct 31, 2005
    #13
  14. Yes :)
     
    Martin Bodenstedt, Oct 31, 2005
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.