04-16-2021 01:51 PM
If my firewall can route to a certain subnet that I haven't included in my split tunnel, any authorized user can add that route by open connect Linux app and get into my network, how can we enforce only the split tunnel ACL subnets to get in?
Thanks
Solved! Go to Solution.
04-16-2021 02:04 PM
Hi @George-Sl
Yes you could use an ACL or use VPN Filter, to enforce which destination networks the RAVPN users can communicate with.
HTH
04-18-2021 02:21 AM
I have always looked at split tunnel to restrict remote access as problematic. For instance, what is to stop the remote user from accessing an authorized computer on your network and then using it as a "jump box" or relay to access other internal systems not in the split tunnel?
04-21-2021 12:25 AM
access-list SPLIT_TUNNEL xyz
group-policy {anyconnect_policy} attributes
vpn-filter value SPLIT_TUNNEL
04-21-2021 12:31 AM - edited 04-21-2021 12:32 AM
Just a disclaimer Cisco AnyConnect Mobility Client binary uses this function CHostConfigMgr::StartInterfaceAndRouteMonitoring() that monitors the routing table for any modifications, so as long as user runs the Cisco client he can't add any new routes, but with Openconnect they can, which you can also prevent that by using vpn-filter as demonstrated.
04-16-2021 02:04 PM
Hi @George-Sl
Yes you could use an ACL or use VPN Filter, to enforce which destination networks the RAVPN users can communicate with.
HTH
04-18-2021 02:21 AM
I have always looked at split tunnel to restrict remote access as problematic. For instance, what is to stop the remote user from accessing an authorized computer on your network and then using it as a "jump box" or relay to access other internal systems not in the split tunnel?
04-18-2021 08:50 PM
I mean ofc we don't have no such thing as 100% secure, but I mistakenly thought split tunnel is also act as an ACL, or in other word it's not just client side, it's server side.
VPN is pretty open though, you usually give vpn to someone you already have some levels of trust with, but you can't stop your network(depends on the network ofc) from e.g. opening ports like 443 to the public, major example www.google.com
that's the google webserver(directly or indirectly) handed to everyone right there, all you need to do is to find a 0-day exploit(public or you made it yourself) that sends your shellcode and exploit and do a reverse shell with a payload, which is a call back to home while you're listening on that port and you will gain some levels of access to the system or in some cases higher than administrator, boom!, you open the socket you opened your doors!.
e.g. google use proprietary operation system, since you don't have access to the code unlike Cisco IOS or Windows or Linux, you can't practice at home to find a breach, but there are people out there that can guess work the program/os architecture remotely... and exploit the system...
a competent hacker can breach to anything he wants, which had left me wondering about coinbase which is available to the public, I guess you can hack but you don't have to tell anyone lol, so there are people who have access to their system I am sure!!
04-21-2021 12:25 AM
access-list SPLIT_TUNNEL xyz
group-policy {anyconnect_policy} attributes
vpn-filter value SPLIT_TUNNEL
04-21-2021 12:31 AM - edited 04-21-2021 12:32 AM
Just a disclaimer Cisco AnyConnect Mobility Client binary uses this function CHostConfigMgr::StartInterfaceAndRouteMonitoring() that monitors the routing table for any modifications, so as long as user runs the Cisco client he can't add any new routes, but with Openconnect they can, which you can also prevent that by using vpn-filter as demonstrated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide