What are the exposures/risks with split tunneling? How to prevent them?

lfulgenzi · ‎04-22-2005

I'm just wondering if anyone can provide any real world examples or scenarios where one can exploit a split tunneling VPN deployment. We've had many requests from some of our vendors' tech support that they require split tunneling in order to access their own resources while they are supporting us.

I understand that when split tunneling is enabled, the client has a 'backdoor' open which can then be used to access the secure network, but I'm not sure what sort of things can actually take advantage of that security hole.

I was thinking of forcing the integrated Cisco firewall to be on and setting the filter to outbound only which basically prevents inbound access to the host as far as I can tell.

Is this enough? Is it possible for someone to turn off the integrated firewall?

I'm more than willing to do some reading, but I haven't found anything specific.

I'd appreciate summaries as well. ;)

Thanks,

Lelio

b.hsu · ‎04-28-2005

When you enable split tunneling it only sends a certain amount of traffic down the tunnel. The rest of it stays on the Local LAN. Theoritically speaking if a person could hack into the computer and gain virtual access to it, they could gain access to your network. They would have to have a virtual desktop up that could launch applications and use it from that computer. Technically

speaking there would be a slim chance to none that this would ever happen.

Richard Burts · ‎04-29-2005

You mention the possibility that a hacker might gain control of a computer and if it had VPN with split tunnel he would have a path directly into the main network, bypassing any firewall protection on the main network. While this is very alarming I think there is another risk that needs to be evaluated. If a computer has a VPN connection into the network and has enabled split tunneling there is a danger that while surfing the Internet they might become infected with some virus. With the VPN connection the virus can then propagate onto the main network bypassing the protections provided by the corporate firewalls.

Trying to enforce strong and frequently updated firewalls and virus protection is especially important in any network that will permit split tunneling.

HTH

Rick

HTH

Rick

joe.cornelson · ‎05-02-2005

The vpn client has a built-in firewall. It says always connected....but there needs to be a check mark for it to be turned on. This firewall will prevent anyone from getting into your computer while the vpn is connected. In fact, this firewall is on even if you are not using the vpn client. By clicking on it and removing the check mark....you can turn it off.

I believe that the firewall makes split-tunnelling safe. As far as viruses getting into your laptop....you always have that danger even if you never installed a vpn client on your computer. You should have virus software on your computer.

Some security psychos are extremely upset about using split-tunnelling. Let's see, you have a firewall preventing outsiders to originate connections into your computer....isn't that safe?

Cheers,

Jim

lfulgenzi · ‎05-02-2005

As far as I can tell, there are two firewalls in the VPN client, there is the 'statefull firewall (always on)' and the integrated firewall. Now, they both function similarly, but one is turned on by the checkmark as you suggest and the other is turned on by a firewall rule in the group settings. I've been explained they're two different things, but for all I know, they're the same thing just turned on different ways. I can tell you however, that with the statefull firewall (always on) unchecked and the integrated firewall option enabled/required, the firewall works as expected.

joe.cornelson · ‎05-04-2005

This is interesting. As an experiment, you should install the vpn client on your computer at home or work. If you have the stateful firewall checked...you cannot ping your computer. At my workplace, they back up individual directories on each workstation (no file server is used). With the stateful firewall checked, the backup does not occur. If you uncheck it (turn it off) then backups do occur, you can ping the workstation.

If there is a second firewall that is truly on...then it isn't working because the backups, etc can happen only when there is no checkmark...and if there is a checkmark...the backups don't occur.

Perhaps there is a different issue if you are using one of the vpn 3000s, that you can set up policies that result in the vpn client firewall behaving different than it normally would if using a vpn client to pix vpn connection. I am curious enough to contact tac to find out about this. I wish I could be of more help.

Jim

lfulgenzi · ‎05-04-2005

I'm pretty sure I did that, I'll have to try it again to remember the outcome though. The second, integrated firewall is not an 'always on' firewall like the one available with the options menu - it's only turned on when the client connects and the firewall policy requires it.

We're using a 3005, which allows me to turn the integrated firewall on.

I'm pretty sure with the options firewall unchecked and the client not connected I could ping, but with the firewall unchecked and the client connected to the 3005 with the integrated firewall option required I could not ping.

I'll try to remember to test this afternoon and post.