Hi,
Are VPN's intended to secure all the data streams going out of the client. If not, they should be able to differentiate between the connections that should be protected and sent to the VPN gateway and those that should directly be sent. In the protocol stack, VPN at the client side sits at IP layer. Several applications might be running in the client and they might be sending data to the destination nodes, will all the traffic be sent to the VPN gateway and then be relayed?
shar
On 9 Dec 2004 07:22:24 -0800, snipped-for-privacy@yahoo.com spoketh
It really depends. There are different ways of implementing VPNs.
Lars M. Hansen
hi Lars, thank you for your reply. what i don't get is, will be able to configure which of the applications are to be integrated with VPN (say in Don't care- VPN u have mentioned). For e.g., is this wat happens, if i am accessing corporate mail server, those messages should be sent through VPN, and if i am browsing it should not be. If i am uploading a file to some server (not on the intranet but in internet), it too should be tunneled i.e., goes securely to the VPN gateway from where it is relayed after stripping tunnel overhead packets, here lets assume that the architecture has corporate Firewall (which gets packets from VPN gateway after stripping tunnel overhead packets) will allow packets with source address not in its domain to pass into the internet. Is such granularity provided by the VPN's.
shar.
Leythos, that is 50% correct, a lot of clients actually do permit split tunneling out of the box.
And to throw PPTP in an IPSec conversation is just a funny sidenote, PPTP is not tunneling, not even close, and included in that is L2TP.
On 10 Dec 2004 04:54:51 -0800, snipped-for-privacy@yahoo.com spoketh
I don't think you can configure VPN clients with such granularity. The VPN software doesn't really look at applications at all, just data communications.
What happens in the "don't care" scenario is that all the traffic that has a destination address that falls within the network(s) defined by the VPN, the client software will encrypt the data accordingly and send it to the VPN gateway address.
If the destination address falls outside the define range, then the VPN software would simply ignore it and it would go to where it was going in the first place.
This is an uncommon configuration (or at least it should be), because it is very unsecure. If your computer is compromised with a trojan, then whoever controls the trojan will also have access to your corporate LAN!
That's where split tunneling comes in. By enabling split tunneling, the VPN client simply discards any traffic that does not belong in the VPN tunnel, which would prevent you from browsing the Internet as long as the VPN client is active. I had a lot of pissed off "internal clients" that didn't like this particular feature, because "they wanted to do whatever they wanted to do, and it was none of my business".
The last model simply encrypts everything and sends it through the VPN tunnel, then passes anything destined for the outside through the corporate firewall (assuming it'll pass!), and thus you can surf the web and be on the corporate LAN at the same time while still being protected by all the wonders of IT security policies and other goodies that we have to offer :)
Lars M. Hansen
Actually most of the VPN Clients DO NOT permit split tunnels by default, you have to configure them for it. In fact, even the simple XP PPTP setup does not allow for splits by default, and when you do enable the split, you can't easily access other points on the remote network you vpn'd into.
This was one reason we allow VPN clients to surf the internet through the company firewall (Filtered) so that they would not have a desire to get around the rules/configs.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.