Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How can I safely bypass VPN configuration 3

Status
Not open for further replies.

wchull

MIS
Jun 14, 2001
93
US
The company I work for has a Cisco VPN connecting into the corporate LAN. When I establish a session currently the system creates a split tunnel that allows me a secured tunnel into work but also allows me the ability to go elsewhere on the Internet. Whe have been told that in the future the configuration of the VPN will change and while connected to the LAN I will no longer be able to connect elsewhere on the Internet or receive POP3 mail.

I know that having the capability of logging in from home to fix problems saves me time and the company time but at the same time this is MY PC and MY internet feed that I pay for so when someone tells me that I can't use my system I get kind of ticked off. So......

Is there a way in which I can safely override the secured tunnel environment so I still get email and browse whereever I choose? If I install a second NIC will the VPN client software only lock down one NIC or both?

Any help or advice will be appreciated.
 
I should imagine they do this in order to stop somebody else accessing the company network by relaying through your machine? Are you sure you want to circumvent company policy/security even through you freely admit that use of the VPN saves you time?

I would imagine that the software would only lock down the single network card in use by the VPN connection, but I have never had the chance to use a Cisco VPN. If you do try adding a second card I would be interested in knowing whether it worked or not, though!


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.
 
Grenage,

Thanks for the reply.

In regard to your first question.....Most of the time If I couldn't get email or reach a web site it would not be a big deal and I would not circumvent a thing. There are a few times that given the circumstance I might want to have an alternative. Quite honestly the support guys have indicated that if I have a router (I do) and a second PC (I do but not in the same room)there would be nothing that would prevent me from using that PC as my VPN client PC and us my personnal PC for personal use. The problem is it's another case where the company is asking me to have more personal equipment in order to support their system. It would be different if they provided a laptop for me to us but that would cost them too much money.

I know that you can have 2 NIC's in a PC but I just don't know enough about how the system works with 2 NIC's. In other words if you have a NIC disabled and you established a VPN session through the first NIC and then enabled the second NIC how would the browser know which NIC to go though? Anyone have any further info on this?
 
We supply a Cisco based VPN system identical to this. By allowing general browsing it is a huge security risk for the network. There are way to many sites with drive by downloads, viruses, and spyware to allow a remote PC the opportunity to infect the network. Our users (including me, the IT Manager) can only log in and do business on the corporate VPN but is very simple to just right click on the VPN Padlock tray icon and disconnect from VPN and browse the internet. This is a minot inconvienance but a necessary security measure. After all I cannot travel to each employees house and inspect their PC's to insure that they have anti-virus and firewall software up-to-date. Besides that a lot of corporate networks monitor and block internet activity (We Do) and do you really want your home PC monitored in that manner or blocked. Work is Work and Personal is Personal and that is how we treat it.
 
JOAMON,

Thanks for the reply.

Yes, it does sound like your environment is like ours. We cannot get to webmail sites, newsgroups and all of our Internet and Exchange mail is content filtered.

You bring up an interesting possibility with the disconnect, I just don't know how it would work in our environment. I have an icon on the desktop that I use to launch the VPN client and authenticate when I need to access the corporate network and I usually disconnect and then terminate the VPN client though the systray icon. I guess I have never tried to reconnect though the systray icon before. If you can toggle on and off without a lot of re-authentication then that would cetainly ease the pain as I could toggle off when I need to check mail or get an answer from a newsgroup site and toggle back on when I'm finished. I'll give that a try before adding a second NIC but I'm still interested in how a second NIC might perform in a Home PC.
 
You will have to re-authenticate...it is not a toggle but for us it is relatively painless to re-connect without a big hassle. I could write myself access with split tunneling but use the same rules for remote access that everyone else has except that through access lists for different groups I have full network access were others have access only to specific resources, (email, DBS, file server, AV server, etc.
 
Time for a bit of a rant. Can't help it. Please note that the following is not directed at anyone in particular, but the misconception in general:

By allowing general browsing it is a huge security risk for the network.

The question of the day is HOW?

Several security vendors (Cisco and Nortel are big offenders, others follow suit) promote the idea that their VPN clients offer a bit of security because they can force all client traffic over the VPN. What exactly does this protect the host network from? Is there some virus, worm, or other undesireable that broadcasts itself over the internet or any other network?

Nope. Doesn't work that way. TCP/IP broadcasts are not forwarded across networks. If they were, the internet would be so clogged with broadcast traffic that it would be useless. There certainly is the misconfigured router here and there that may broadcast, but the problem is not nearly widespread enough to allow a virus to take advantage of it. A virus infection generally requires that a user opens an email or visits a particular website. The virus is never "pushed" onto the computer.

Once a computer has a virus, it is theoretically possible for it to infect or more likely disrupt other computers on the local network. Even transmitting an infection across the local network would be difficult, as there simply are not many avenues to push a file to another computer on the network and execute it.

In theory, it MAY be possible to convice a computer running a VPN client to route traffic between the VPN host network and the internet. In order for this to be effective, internet routing tables would need to be modified. Not going to happen. It is possible for a computer to route traffic between the VPN host network and the local network. If a computer were connected to two VPNs at the same time, it would also be possible to route between the two, but it would take a bit of work and specific knowlege of the topology of both networks.

Unless a client is forced to stay connected to the VPN constantly, the client may still become infected while not connected to the VPN. If a virus were to broadcast across the network, it would still be on the client and able to do its business regardless of the fact that it did not aquire the virus while connected.

The short version of this would be:

Routing ALL client traffic over a VPN connection
A) does nothing to secure the VPN host network
B) increases the load on the VPN tunnel. Even if browsing is not allowed over the connection, you still have the requests floating that must be denied.
C) may provide a false sense of security.

A good VPN gateway configuration should
A) block all traffic not originating from the VPN client. This is sufficient in most cases to eliminate traffic from the internet or another private network reaching the host network.
B) enforce a policy that IP forwarding on the VPN client is disabled. This also will eliminate unwanted traffic from non-trusted networks.
C) ensure that anti-virus software is installed, active and current before allowing the connection. This is problematic, because it does require that the client purchases or at least installs additional software on their machine.
D) implement some basic firewall rules for the VPN client to further ensure that unwanted traffic does not route through the connection.

Most of the vendors that promote the traffic restrictions support all or most of the better security measures. It is a bit more complicated to implement, but it offers a bit of real security.

The other idea behind forcing all network traffic over the VPN is to monitor employee activity. This is also useless, as it is possible (as was pointed out earlier) to connect from one computer and surf on another. For that matter, one could have the TV on, be chatting on the phone, or any other number activies that is not productive. At the end of the day, it does nothing more than increase bandwidth usage and create ill will.

Rant over, sorry.

Now for the question that was posted. No, it is not possible to bypass the restrictions that the Cisco (or many other) clients place on the client machine. A second network interface will do no good, as the client software handles network traffic before it ever hits the hardware. Even if a second card could bypass the restrictions, you generally cannot use two interfaces on the same network (exception being load balancing on a server).

 
What about VMware? Run a clone of the system in a virtual environment. One for VPN and the other for personal. Is that possible? I am not that familiar with VMware. Just a thought...but again that will require additional software and configuration.
 
I checked before getting the last 2 posts and yes, you do have to reauthenticate and the way the concentrator is setup as soon as I break the connection the LAN IP address I first acquired is held out of the pool for 60 minutes so that a DNS flushing tool we wrote in house can scavenge the orphaned addresses in Microsoft DNS. MKHWood is probably right that the software is probably intercepting the traffic before it gets to the NIC. VMWare may work but again, more cost to the employee that is already using their PC and their internet feed as a benefit to the company without compensation. What usually takes place is a quick fix isn't even logged into time reporting even though we are allowed a minimun of 2 hours paid comp time on any support call. I can see where with the change of a split tunnel to a secured tunnel environment people will start comping their time as a means of payback.
 
A VPN client on one virtual machine should not effect another on the same physical machine, but unless the hardware is really beefy, the time required to switch would likely be more of a problem than the authentication.
 
I came here in search of a solution, myself.
I'm using my personal laptop and broadband connection. After connecting the VPN, windows remote desktop allows me to connect to an on-site machine. Great! Telecommunication realized!

However, like many others I was dismayed to find out the Nortel VPN client monopolized my laptop's network connection!

I don't see it as very fair that I'm unable to simultaneously run other net dependent apps on MY laptop, utilizing MY bandwidth. This is an unfair appropriation of my personal resources!

Regarding virtualization...
I've tried Ubuntu Linux under VMWare Server which was rather sluggish under my 1.4Ghz Pentium M with 1GB RAM. I'd hate to buy another copy of XP just to run a virtual machine with the VPN client and have it all even slower, at that.

And yet, it looks like the only viable choice, at this point.


On a side note, it seems that my network connection likes to go dead several hours of booting every since installing the client. The only resolution I've found is a reboot. Not good for a machine that doubles as a server. I suppose I'll start/search another thread for help on that.
 
[quoting JOAMON (IS/IT--Management)]"By allowing general browsing it is a huge security risk for the network."

Hi Folks,
My (hopefully relevant to this topic) question is... I just successfully setup a vpn tunnel with 2 WRV54G routers, and can use QuickVPN on the mobile remotes for connectivity to the tunnel....
...I have successfully setup some VPN's in the past...
...AND I have read that after setting such up there will usually by default end up being no "outside tunnel" access to, say for instance, internet via browser, when users are connected over VPN...
...BUT we always do!...
...SO... what settings could/should I be looking into if the desired affect is for workstation(s), or the mobile remotes, should be exclusively limited to the VPN (tunnel)?

Clarifications/considerations:
1) Obviously this current setup does not require workstations on either of the stationery networks to launch a VPN client, VPN access simply exists via the router tunnels pointing to one another.
2) Although I have repeatedly come across discussion over this espoused security issue, it seems any sort of VPN I have ever setup has allowed the capability to also access the internet, i.e., I always have had to address internet restrictions separately.
3) Maybe I am grossly missing something in the way I setup VPN's that is leaving us vulnerable, but then if security is by default such a major issue (a la, the quoted statement above) why would the default seemingly be to not concurrently restrict user's internet access when setting up simple VPN's?

What am I missing in my understanding here?

Cheers,
TwoHawks

Cheers,
TwoHawks
Love is the Function, No Form is the Tool
 
Just wanted to let all in here know I have successfully created a VMWare virtual machine exclusively for using VPN functionality, leaving all my networking apps outside the virtual machine free to use my network connection--the way it SHOULD be.

While the virtual machine does naturally run slower, the point is it can be done.

VMWare Server is now offered requiring a free registration for a serial key. As for the OS you put on the virtual machine, the license of that OS still applies.
 
Shortly after posting the above I found out about VMWare Tools. After installing this, much of the sluggishness related to mouse tracking is alleviated and the total experience improved much more so!
 
mhkwood. I was so shocked and appalled by your nonsensical rant that I had to create a temporary account to address it.

YOU: Several security vendors (Cisco and Nortel are big offenders, others follow suit) promote the idea that their VPN clients offer a bit of security because they can force all client traffic over the VPN. What exactly does this protect the host network from? Is there some virus, worm, or other undesireable that broadcasts itself over the internet or any other network?

ME: Why yes, there are many worms and many flavors of malware that continuously scan the network/internet. These can get so severe that they do actually bring down large networks. One example: November 3, 1988. Black Thursday. We all know that there have been no advances since 1988…
Company’s might also be interested in the vpn because it protects company data. Many salespeople stay in hotels and use the wifi/wired hotel network to communicate back to the Home Office.


YOU: Nope. Doesn't work that way.

ME: Yes. Yes it does. There are many non-vendor websites that address virus/malware trends. Go see for yourself.


YOU: A virus infection generally requires that a user opens an email or visits a particular website.

ME: God – I really hope your not in charge of a network that has any interaction involving my credit card. You have no idea what's really going on out there, do you? I strongly suggest you check out some security websites. And not vendor's ones. Go to CERT or Dark Reading. Anything. Please.


YOU: Once a computer has a virus, it is theoretically possible for it to infect or more likely disrupt other computers on the local network. Even transmitting an infection across the local network would be difficult, as there simply are not many avenues to push a file to another computer on the network and execute it.

ME: No offense, but: Ever hear of Windows – that massive security breach masquerading as an OS? And what do you mean “theoretically”? It’s in practice and constantly in the tech news? What rock are you living under?

YOU: Routing ALL client traffic over a VPN connection
A) does nothing to secure the VPN host network

ME: False. Nothing? It does NOTHING to secure the host network? Come on. Is it perfect? No. But it's a whole lot better than nothing.

YOU: B) increases the load on the VPN tunnel. Even if browsing is not allowed over the connection, you still have the requests floating that must be denied.

ME: Companies concerned with the security enough to configure a forced vpn are not likely to care about the overhead of denying requests.

YOU: C) may provide a false sense of security.

ME: Gee, what a good reason to not force all traffic over a vpn.


YOU: The other idea behind forcing all network traffic over the VPN is to monitor employee activity. This is also useless, as it is possible (as was pointed out earlier) to connect from one computer and surf on another. For that matter, one could have the TV on, be chatting on the phone, or any other number activies that is not productive. At the end of the day, it does nothing more than increase bandwidth usage and create ill will.

ME: To monitor employee activity over a company owned asset on which illegal/questionable activity could make the company legally liable. I doubt many companies are relying solely on monitoring an employee’s activity to gauge productiveness.



I'm sorry if you end up offended by my answer to your rant, but you are so incorrect in your statement of facts that it boggles the mind. I have to wonder if you actually put this out as a troll, but I'm willing to take the risk of answering. Please go do a little research and get a handle on the risks that exist TODAY.
 
A VM is really the only way you are going to get around this. And I have to say that I found mkwood's rant mostly inaccurate also.
 
How do I browse internet from my laptop (WinXP) after I disconnect from Corporate VPN.

It seems that after I installed my company VPN software (including Tunnel Guard, Net Intergrity Client & VPN Client)
my internet access is disabled.

I need to connect to the VPN and then browse internet using company gateway.

After I disconnect from VPN, I can not browse internet but following is true:
I am connected to wireless broadband router with valid IP
I can ping defualt gateway on wireless router
I can ping names of web sites for ex. But can not browse using any browser

I know it is possible but not able to get any solution after extensive web search for last 10 days

Some guys are doing this....

Can anyone help?

mak
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top