cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
381
Views
10
Helpful
5
Replies
George-Sl
Beginner

Enforcing the Split-tunnel only access

If my firewall can route to a certain subnet that I haven't included in my split tunnel, any authorized user can add that route by open connect Linux app and get into my network, how can we enforce only the split tunnel ACL subnets to get in?

 

Thanks

4 ACCEPTED SOLUTIONS

Accepted Solutions
Rob Ingram
VIP Mentor

Hi @George-Sl 

Yes you could use an ACL or use VPN Filter, to enforce which destination networks the RAVPN users can communicate with.

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

HTH

View solution in original post

Marvin Rhoads
VIP Community Legend

I have always looked at split tunnel to restrict remote access as problematic. For instance, what is to stop the remote user from accessing an authorized computer on your network and then using it as a "jump box" or relay to access other internal systems not in the split tunnel?

View solution in original post

George-Sl
Beginner

access-list SPLIT_TUNNEL xyz

 

group-policy {anyconnect_policy}  attributes

   vpn-filter value SPLIT_TUNNEL

View solution in original post

George-Sl
Beginner

Just a disclaimer Cisco AnyConnect Mobility Client binary uses this function CHostConfigMgr::StartInterfaceAndRouteMonitoring() that monitors the routing table for any modifications, so as long as user runs the Cisco client he can't add any new routes, but with Openconnect they can, which you can also prevent that by using vpn-filter as demonstrated.

View solution in original post

5 REPLIES 5
Rob Ingram
VIP Mentor

Hi @George-Sl 

Yes you could use an ACL or use VPN Filter, to enforce which destination networks the RAVPN users can communicate with.

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

HTH

View solution in original post

Marvin Rhoads
VIP Community Legend

I have always looked at split tunnel to restrict remote access as problematic. For instance, what is to stop the remote user from accessing an authorized computer on your network and then using it as a "jump box" or relay to access other internal systems not in the split tunnel?

View solution in original post

I mean ofc we don't have no such thing as 100% secure, but I mistakenly thought split tunnel is also act as an ACL, or in other word it's not just client side, it's server side.

VPN is pretty open though, you usually give vpn to someone you already have some levels of trust with, but you can't stop your network(depends on the network ofc) from e.g. opening ports like 443 to the public, major example www.google.com

that's the google webserver(directly or indirectly) handed to everyone right there, all you need to do is to find a 0-day exploit(public or you made it yourself) that sends your shellcode and exploit and do a reverse shell with a payload, which is a call back to home while you're listening on that port and you will gain some levels of access to the system or in some cases higher than administrator, boom!, you open the socket you opened your doors!.

e.g. google use proprietary operation system, since you don't have access to the code unlike Cisco IOS or Windows or Linux, you can't practice at home to find a breach, but there are people out there that can guess work the program/os architecture remotely... and exploit the system...

a competent hacker can breach to anything he wants, which had left me wondering about coinbase which is available to the public, I guess you can hack but you don't have to tell anyone lol, so there are people who have access to their system I am sure!!

George-Sl
Beginner

access-list SPLIT_TUNNEL xyz

 

group-policy {anyconnect_policy}  attributes

   vpn-filter value SPLIT_TUNNEL

View solution in original post

George-Sl
Beginner

Just a disclaimer Cisco AnyConnect Mobility Client binary uses this function CHostConfigMgr::StartInterfaceAndRouteMonitoring() that monitors the routing table for any modifications, so as long as user runs the Cisco client he can't add any new routes, but with Openconnect they can, which you can also prevent that by using vpn-filter as demonstrated.

View solution in original post

Content for Community-Ad