Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5650
Views
0
Helpful
3
Replies

Allow Local LAN Access - Security Concerns?

Go to solution
NelPereira_2
Level 1
Level 1

‎02-01-2011 02:14 PM

I started researching why our users at a remote office (not connected via site-to-site link) were unable to print to their network printer even though the tick box for allow local LAN access on the Cisco VPN Client was checked off.

This brought me to the following document on the Cisco site:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml

 

Having seen this feature enabled and working at much larger organizations I have some questions:

  • This solution appears to differ from a true split tunneling scenario and unencrypted traffic is sent and received only from the internal LAN. Being that this is the case is there really a need for concern?
  • Each PC at this remote office is managed and contains a fully updated Antivirus software package.Wouldn't this prevent any concern's originating from the PC itself? Wouldn't this eliminate the fear that this PC might act as a relay for any nasties?
  • If the PC was infected how would it act as a relay? Wouldn't it pose a threat regardless if allow local LAN access was enabled or not? After all we would still be able to tunnel through.
  • Is there a concern that a hacker might be able to hack this computer internally and use the local lan access to that advantage?

Looking to understand why this is not a good idea.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎03-25-2011 02:20 PM

Nelson

Most of your question seems to derive from the assumption that Allow Local LAN Access is not a good thing. I would not necessarily agree with that assumption.

Clearly the default behavior is to not allow Local LAN Access. I believe that this is an appropriate default behavior since it puts the VPN client into the most secure position. But depending on the situation in your organization it may very well be a good thing to allow Local LAN Access.

I will suggest these points in response to the specific questions that you ask:

- Yes this is different from true split tunneling. I believe that the level of concern may not be zero, but it is a pretty small concern.

- while having a fully updated antivirus software does reduce the possibility of the PC being compromised it does not entirely eliminate that possibility.

- it is true that the PC could already be compromised/infected and would pose a threat. Allowing Loal LAN Access presents a very small increase in risk that the PC could be compromised while on line.

- there is a very small risk that a hacker could compromise some other device on the Local LAN and from that machine might compromise the PC with the VPN client while it was on line.

If your company is in an environment that requires a VERY high level of security implementation (perhaps Heath Care or Financial Services come to mind) then maybe you would be concerned about the risk involved in Allow Local LAN Access. For most of us the risk is negligible.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
manish arora
Level 6
Level 6

‎02-01-2011 04:05 PM

Hi Nelson,

Split tunnelling is a good idea or not depends upon the security needs of the organization, i am sure Financial/Medical organizations needs to take all steps they can to secure there edges.

Here's a good read on why split tunnelling is considered un secure :-

http://www.isaserver.org/tutorials/2004fixipsectunnel.html

Manish

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎03-25-2011 02:20 PM

Nelson

Most of your question seems to derive from the assumption that Allow Local LAN Access is not a good thing. I would not necessarily agree with that assumption.

Clearly the default behavior is to not allow Local LAN Access. I believe that this is an appropriate default behavior since it puts the VPN client into the most secure position. But depending on the situation in your organization it may very well be a good thing to allow Local LAN Access.

I will suggest these points in response to the specific questions that you ask:

- Yes this is different from true split tunneling. I believe that the level of concern may not be zero, but it is a pretty small concern.

- while having a fully updated antivirus software does reduce the possibility of the PC being compromised it does not entirely eliminate that possibility.

- it is true that the PC could already be compromised/infected and would pose a threat. Allowing Loal LAN Access presents a very small increase in risk that the PC could be compromised while on line.

- there is a very small risk that a hacker could compromise some other device on the Local LAN and from that machine might compromise the PC with the VPN client while it was on line.

If your company is in an environment that requires a VERY high level of security implementation (perhaps Heath Care or Financial Services come to mind) then maybe you would be concerned about the risk involved in Allow Local LAN Access. For most of us the risk is negligible.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
NelPereira_2
Level 1
Level 1
In response to Richard Burts

‎03-25-2011 02:55 PM

Thank you Richard.

When I originally presented this idea to my senior network engineer at work he had a knee jerk reaction of no. This in turn led me to question some Cisco documents I had read and sparked a bit of research. I wanted to understand why would Cisco allow this solution if it was understood to create such a security concern. I also consulted with someone who is a senior network engineer and we came down to the same exact conclusion you had described in your reply.

I understand now that if the organization does not have to follow strict regulatory compliance guidelines then maybe we can trust the technology a bit more to do things like allow local lan access. We could always leverage a IDS/IPS solution if it security is still a major concern. While this is something I still cant implement at work, it will be something to definitely keep in mind for a future implementation.

Thanks again for your response!

0 Helpful
Customers Also Viewed These Support Documents