Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
10
Helpful
5
Replies

Enforcing the Split-tunnel only access

Go to solution
George-Sl
Level 1
Level 1

‎04-16-2021 01:51 PM

If my firewall can route to a certain subnet that I haven't included in my split tunnel, any authorized user can add that route by open connect Linux app and get into my network, how can we enforce only the split tunnel ACL subnets to get in?

 

Thanks

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-16-2021 02:04 PM

Hi @George-Sl 

Yes you could use an ACL or use VPN Filter, to enforce which destination networks the RAVPN users can communicate with.

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

HTH

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-18-2021 02:21 AM

I have always looked at split tunnel to restrict remote access as problematic. For instance, what is to stop the remote user from accessing an authorized computer on your network and then using it as a "jump box" or relay to access other internal systems not in the split tunnel?

View solution in original post

Go to solution
George-Sl
Level 1
Level 1

‎04-21-2021 12:25 AM

access-list SPLIT_TUNNEL xyz

 

group-policy {anyconnect_policy}  attributes

   vpn-filter value SPLIT_TUNNEL

View solution in original post

0 Helpful

Go to solution
George-Sl
Level 1
Level 1

‎04-21-2021 12:31 AM - edited ‎04-21-2021 12:32 AM

Just a disclaimer Cisco AnyConnect Mobility Client binary uses this function CHostConfigMgr::StartInterfaceAndRouteMonitoring() that monitors the routing table for any modifications, so as long as user runs the Cisco client he can't add any new routes, but with Openconnect they can, which you can also prevent that by using vpn-filter as demonstrated.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎04-16-2021 02:04 PM

Hi @George-Sl 

Yes you could use an ACL or use VPN Filter, to enforce which destination networks the RAVPN users can communicate with.

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

HTH

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-18-2021 02:21 AM

I have always looked at split tunnel to restrict remote access as problematic. For instance, what is to stop the remote user from accessing an authorized computer on your network and then using it as a "jump box" or relay to access other internal systems not in the split tunnel?

Go to solution
George-Sl
Level 1
Level 1
In response to Marvin Rhoads

‎04-18-2021 08:50 PM

I mean ofc we don't have no such thing as 100% secure, but I mistakenly thought split tunnel is also act as an ACL, or in other word it's not just client side, it's server side.

VPN is pretty open though, you usually give vpn to someone you already have some levels of trust with, but you can't stop your network(depends on the network ofc) from e.g. opening ports like 443 to the public, major example www.google.com

that's the google webserver(directly or indirectly) handed to everyone right there, all you need to do is to find a 0-day exploit(public or you made it yourself) that sends your shellcode and exploit and do a reverse shell with a payload, which is a call back to home while you're listening on that port and you will gain some levels of access to the system or in some cases higher than administrator, boom!, you open the socket you opened your doors!.

e.g. google use proprietary operation system, since you don't have access to the code unlike Cisco IOS or Windows or Linux, you can't practice at home to find a breach, but there are people out there that can guess work the program/os architecture remotely... and exploit the system...

a competent hacker can breach to anything he wants, which had left me wondering about coinbase which is available to the public, I guess you can hack but you don't have to tell anyone lol, so there are people who have access to their system I am sure!!

0 Helpful

Go to solution
George-Sl
Level 1
Level 1

‎04-21-2021 12:25 AM

access-list SPLIT_TUNNEL xyz

 

group-policy {anyconnect_policy}  attributes

   vpn-filter value SPLIT_TUNNEL

0 Helpful

Go to solution
George-Sl
Level 1
Level 1

‎04-21-2021 12:31 AM - edited ‎04-21-2021 12:32 AM

Just a disclaimer Cisco AnyConnect Mobility Client binary uses this function CHostConfigMgr::StartInterfaceAndRouteMonitoring() that monitors the routing table for any modifications, so as long as user runs the Cisco client he can't add any new routes, but with Openconnect they can, which you can also prevent that by using vpn-filter as demonstrated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents