Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
VPN client - No internet
- Thread starter ben2001
- Start date
NetworkGhost
IS-IT--Management
Just curious, Are you having an issue with split tunneling?
- Thread starter
- #3
NetworkGhost
IS-IT--Management
Just a question, why secure traffic that will be unsecure when it would go back out the FW?
wirelesspeap
Technical User
For those who are not familiar with Split-tunneling, the
issue with split-tunning is that your vpnclient is also
exposing itself to the Internet (unless you're also behind
a corporate firewall or personal firewall so that someone
on the internet can potential take over the vpnclient
machine and use that machine as a conduit to the corporate
network. That's why most people prefer to disable split
tunneling which is disable by default on Cisco Pix. If you
want people to have web browsing, I suggest that you go
with Proxy server (i.e. squid or ISA). Enabling split
tunneling, IMHO, is a bad idea.
issue with split-tunning is that your vpnclient is also
exposing itself to the Internet (unless you're also behind
a corporate firewall or personal firewall so that someone
on the internet can potential take over the vpnclient
machine and use that machine as a conduit to the corporate
network. That's why most people prefer to disable split
tunneling which is disable by default on Cisco Pix. If you
want people to have web browsing, I suggest that you go
with Proxy server (i.e. squid or ISA). Enabling split
tunneling, IMHO, is a bad idea.
NetworkGhost
IS-IT--Management
If your policy is locked down at the FW Split tunneling can be good. It stops unecceccary traffic (virus, spyware, adware and web if you want that) It also keeps your bandwidth down to a minimum.
Most machines have personal fw's and that should be corporate policy if allowing users to VPN in along with having Antivirus.
As always, the more granular you are with your policy the better off you will be when the @@@#$$@% hits the fan.
Many large companies utilize split tunneling. Having 2000 + users with all of their web traffic come through on top of the VPN Traffic in most cases is undesirable. This may not be an issue with smaller companies.
Most machines have personal fw's and that should be corporate policy if allowing users to VPN in along with having Antivirus.
As always, the more granular you are with your policy the better off you will be when the @@@#$$@% hits the fan.
Many large companies utilize split tunneling. Having 2000 + users with all of their web traffic come through on top of the VPN Traffic in most cases is undesirable. This may not be an issue with smaller companies.
- Status
Similar threads
- Locked
- Question
- Locked
- Question