Security risks of split tunnel

The extent of the risk depends on how fine-grained the exemption is.

If your users are using Windows, they are probably using netbios type print services internally, which requires opening a fair set of ports. Those ports also happen to be the ones most likely to be attacked by a virus or trojan, which could then "remote-control" the session to attack your server network.

The risk could be reduced noticably if your users were using Berkeley lpd printing -- that's only a single port, and not one of the ones more commonly attacked. But setting up lpd services requires installing windows services, and I rarely see Windows printer drivers that offer lpd as one of their connection varieties. There does not appear to be a Windows "printcap", so my suspicion is that if the printers aren't Postscript or HPGL3 then You Would Not Enjoy (SM) the setup work involved.

If I recall correctly, PIX 6.x whines about split tunnels that are specified down to the port level; I seem to recall that going below the 'ip' level wasn't possible until PIX 6.2, and going to the port level was (if I recall correctly) not possible until PIX 6.3.

In a word, "No".

Hi,

Walter's comments best sum up the issues.

The best thing is to have them go through your proxy server (if you have one). I had a situation where a customer wanted to do this but the users also wanted to access the Internet when not on the VPN and the proxy settings became a nuisance.

What we did was create two icons on the desktop with the IE icon. One was called work internet and one was called personal internet. These shortcuts were to batch files that ran a .reg file to enter proxy settings into the registry then also loaded internet explorer. The work .bat put the proxy entries in and the personal .bat took them out.

It's not a perfect solution but it is a free work-around!

Regards,

Martin