Re: Controlling Internet access at the VPN client

ekalem · ‎01-10-2001

Here's the scenarion:

Say I implement a VPN solution, and I have remote users VPN'ing into my VPN server through the Internet. Is there a practical way of protecting the remote end from being compromised? I'm worried that if the remote end is compromised, the hacker/cracker has a free for all through the VPN link to my corporate network? I'm looking for something other that standard policies and practices and/or a firewall at the remote end.

jomccloud · ‎01-13-2001

You have a couple options here. First, I recommend leaving the default configuration of split-tunneling OFF. Split-tunneling allows a user to have direct Internet access concurrent with VPN access. For secure installations keeping split-tunneling OFF ensures that the remote workstation is inaccessible to Internet probing or compromise during the VPN session. If split-tunneling is enabled, the remote workstation should use a personal firewall such as Zone Alarm (free third-party software - http://www.zonealarm.com). In fact, split-tunneling or not, the remote user should have both personal firewall and anti-virus software.

A more secure solution will be to use the forthcoming PIX 501 personal firewall/VPN device. Pricing on the PIX 501 is not yet available for public consumption, but it will be cost-effective for the home and small-office user. The PIX 501 features a four-port 10/100 switch with traditional PIX firewalling capabilities and VPN support. The PIX 501 can initiate a VPN tunnel based on destination network address and supports centralized managment and administration. This, I believe, is the most secure and flexible solution.

Without a dedicated, hardware device such as the PIX 501, I would recommend using personal firewall and anti-virus software with an NT login script to confirm proper installation, configuraition, and operation of the software.

ekalem · ‎01-16-2001

Thanks. Is the split-tunneling part of the VPN client? We have an Intraport 2+ does this client have it?

jomccloud · ‎01-28-2001

Split-tunneling is not part of the Cisco VPN 3000 client per-se. The VPN 3000 client receives all policy configurations from the the VPN 3000 concentrator during login and protocol negotiation.

To enable split-tunneling for the client, the administrator defines a network access-list on the VPN 3000 concentrator. The network access-list specifies a list of destination networks to use for the vpn tunnel, implying that all un-specified destination networks bypass the vpn tunnel. This access-list is pushed to the client during the initial connection negotiation - ergo the client has no locally configurable option for specifying the split tunnel. The VPN 3000 client is designed to reduce remote administration tasks through centralized policy configuraiton and managment.

I'm not familiar with the Intraport client, however, the VPN 3000 client is free with the VPN 3000 concentrator (i.e. no per client licensing fees). Additionally, with the latest, or shortly forthcoming, releases of PIX OS and IOS, the VPN 3000 client is positioned as our unified client for initiating VPN sessions with Cisco router and PIX firewall products (in addition to the VPN 3000 concentrator series).

How are you currently providing VPN services? What head-end device are you using?