Two different networks, one computer ,one vpn

Hi,

You have to setup split tunneling on your concentrator.

marcial.colomer at gmail

snipped-for-privacy@gmail.com ha escrito:

How do you split tunneling on what concentrator ?

Does this mean that I cant do nothing on my computer ? to make this happen

thanks marcial_colomer wrote:

Hi

Right, you can't do anything. Split tunneling must be configured on the vpn concentrator (where you dial in).

mostly this is disabled for security reason.

snipped-for-privacy@gmail.com schrieb:

That's by design:

Once you have your vpn connection open all traffic goes through that vpn connection.

What you want is called "split tunneling" and is a security nightmare.

marcial_colomer schrieb:

But you don't really want to do this (for security reasons):

You customer's network most likely has a very strict internet policy using a firewall, spam and virus checker - and possibly contains sensitive data.

Now You open a remote VPN connection to this network through the internet using your own internet connection.

By design, once the tunnel (your vpn connection that is) is established your vpn client blocks all incoming or outgoing traffic on your computer except the traffic going through the tunnel. This way your PC (and only your PC no matter what else your PC is connected to locally) is made a virtual extension to your customer's network.

Now consider free network access on your PC while the vpn connection is open (which is called "split tunneling" because your network access is split between the tunnel connection and local network access):

Suddenly all other PC's on your local network can access the customer's network and - which is worse - your customer's network has a rogue internet connection (thru your PC) bypassing that network's internet access policy.

Whether the client can do anything depends on the VPN client not on the VPN concentrator since it is the VPN client that ultimately controls how traffic is routed on the client. Typically if the VPN administrator does not want split tunnelling to be used then they don't configure on the VPN concentrator and provide a VPN client program that provides no way of turning it on.

However, if the authentication details can be extracted from the VPN client then they can be used with a client that does support split tunnelling even if the VPN concentrator is not configured to support it.

Not surprisingly such VPN clients are not popular with VPN administrators since it allows users to override the administrator's policy. So, they can make life difficult by making the authentication details hard to extract from the VPN client they provide and/or using vendor specific/proprietary authentication mechanisms that other VPN clients do not support and/or require that you sign something that says you will only use approved software for VPN access.

Stephen J. Bevan schrieb:

Basically yes.

But depending on the software used the central network admin has the control over the client's routing options...

Isn't that another way of saying what I wrote in the next sentence after the one you quoted? That is :-

How is that going to happen without some serious reconfiguration both on your system and its local network? To take some (hypothetical) numbers. Your PC has IP address 192.168.0.2 on the local network. When you establish the VPN connection to the remote network this allocates you IP address 10.0.0.3 on that network.

If your PC acted as a 'simple' router then any packets it received with destination addresses in 10.0.0.0/8 it would send over the VPN but with a source address in 192.168.0.0/24 which the remote network would not like and will probably be rejected by the firewall in the VPN endpoint. Add to that, the other systems (or at least the system which is the default route) on the local LAN would have to be setup with a static route for 10.0.0.0/8 via your PC.

For other systems to access the remote network via your PC, not only would the static routes have to be set in the local network but your PC would have to act as a NATting router and set the source address of all packets to 10.0.0.3 before sending over the VPN.

For your PC to 'leak' the external internet to the remote VPN would require even more complex configuration.

None of these things could happen accidentally. So if you are not trusted enough to not deliberately subvert the remote system's security then neither should you be trusted enough to have the VPN connection to the remote network.

If your PC supports any ability to remotely control it (e.g. telnet, ssh, Back Orifice, trojan allowing remote access) from the internet then a third party can in theory control your computer. Whether theory meets practice depends on exactly what sort of remote control software is on your PC, but even usually safe software like ssh has had the occasional bug which could be exploited to allow remote access.

So, assuming*** you are running vulnerable remote access software on your computer and you have split-tunnelling enabled while connecting to your company's internal site then your company's site is now accessible to a third party in real-time. If split-tunneling is disabled a third party cannot access your company's internal site in real-time via your internet connection.

If real-time access is needed by the third party then the best they could do would be to setup some software on your PC that would automatically try to create an outbound connection over the VPN to another machine they control and then connect back in over that. Since that connection has to go via the company's firewall(s) then they have the necessary opportunity to block this access e.g. using intrusion prevention software.

------------------

*** Since the company network administrator has no simple way of knowing whether your are running vulerable software or not the only safe assumption is that you are.

The point - from a network administrators point of view - is simply that it *can* be done (either actively by a remote user in a "destructive" mood or by some imported malware).

It depends on what you call "accidentally". The point simply is that the remote computer connecting via VPN is *not* under the control of the corporate network administrator.

Stephen J. Bevan schrieb:

Thanx for so succinctly explaining the point I'm trying to get across here ;-)

Yes :-)