topic Split tunneling challenges in Network Security

Split tunneling challenges

r.kukreja — Tue, 12 Mar 2019 04:44:03 GMT

Hi,

we have requirement that remote users want to use corporate application like file server etc and at the same time they also want to use internet on their system

what are the options available on firewall to configure this.

what kind of security threats and vulnerability challenges wil be there if user access application and internet at same time

if possible please provide solution with explanation.

regards

rajat

In general: If the client can

Karsten Iwen — Wed, 10 Sep 2014 09:19:21 GMT

In general: If the client can directly communicate with the internet, it's easier for an attacker to use that PC as a jump-point into the network or to compromise the client. The typical solutions to give VPN-clients internet-access are:

Place a proxy server into your internal network and reconfigure the proxy-settings of the client to use this proxy. This reconfiguration can be done automatically, controlled by the ASA. This is my favorite solution for company employees. Optionally the proxy could scan the traffic for internet-threats like malware.
If you can't or don't want to deploy a proxy you can send all Internet-traffic straight back to the internet. For that you need a NAT-rule (outside,outside) to do dynamic PAT for your VPN-Pool and you have to configure "same-security-traffic permit intra-interface". This is my second choice for company employees. With this, there is no malware scan unless you have a security-module like CX in your firewall. Still, an internet-attacker will not be able to initiate a bidirectional connection to the client. And you have a central logging for client-activity while they are connected to the VPN.
Configure split-tunneling. With that, you only send traffic that is for your company through the tunnel and all the rest is allows directly from the client to the internet. This is the least secure solution. By little misconfiguration of the client (like disabled windows firewall) the PC can be attacked by systems on the internet.

Hi, In case if you have a

nkarthikeyan — Wed, 10 Sep 2014 11:30:46 GMT

Hi,

In case if you have a sufficient bandwidth available in your office network, go with tunnel all and make everything to go via your office network.... so that you can keep a track on internet..... else another option is to do with split-tunnel for your vpn.... only office lan network will flow through vpn and rest will flow through their local gateway..... means all traffic related to office lan.... whatever you have in internal lan or vpn acl..... it will have routed to vpn gateway and all other ( 0.0.0.0) route will go via local gateway of the end user ISP.....

If you take things via office network.... you can limit / block the unnecessary ports or protocols to access..... you can keep the content filtering / proxy servers in inside lan to block black listed sites or malware sites......

Regards

Karthik

hi karsten, can you elaborate

r.kukreja — Wed, 10 Sep 2014 14:10:26 GMT

hi karsten,

can you elaborate little bit of first solution and second more . please share any practical scenario or any implementation guide if you have. looking forward for your valuable thoughts and suggestion

regards

rajat

hi, can any body provide

r.kukreja — Thu, 11 Sep 2014 06:07:33 GMT

hi,

can any body provide split tunnelin example on asa version 9.1

regards

rajat

Hi Rajat,You can refer the

nkarthikeyan — Thu, 11 Sep 2014 06:18:24 GMT

Hi Rajat,

You can refer the below link for a config example with explaination.

http://www.petenetlive.com/KB/Article/0000943.htm

Regards

Karthik