Connect to Cisco VPN without Cisco client?

[LokutusofBorg]

Is there any way to connect to a Cisco VPN without using the Cisco VPN client?

 

[Emulex]

no it is proprietary? the iphone has a cisco vpn client - you could tether off that but technically that is still using the cisco vpn client. why not just setup pptp - everything has pptp support included free.

do you have to pay for cisco vpn client?

 

[LokutusofBorg]

I'm looking to bypass the restrictions enforced by the Cisco VPN client (no local LAN access) in Windows. I don't think I can connect to the VPN using PPTP, I believe it has to be IPSec like the Cisco client uses.

I'm just wondering what is involved in mimicking the Cisco client (decrypting group password, etc.) from someone who knows how to do it. Google searches aren't turning up useful info.

 

[Nothinman]

I'm looking to bypass the restrictions enforced by the Cisco VPN client (no local LAN access) in Windows. I don't think I can connect to the VPN using PPTP, I believe it has to be IPSec like the Cisco client uses.

I'm just wondering what is involved in mimicking the Cisco client (decrypting group password, etc.) from someone who knows how to do it. Google searches aren't turning up useful info.

I would think that bypassing network restrictions would be frowned upon by the people maintaining them...

 

[spidey07]

I'm looking to bypass the restrictions enforced by the Cisco VPN client (no local LAN access) in Windows. I don't think I can connect to the VPN using PPTP, I believe it has to be IPSec like the Cisco client uses.

I'm just wondering what is involved in mimicking the Cisco client (decrypting group password, etc.) from someone who knows how to do it. Google searches aren't turning up useful info.

And open the company network to any bugs/worms you may have? Don't do it. Nobody worth an ounce of security would allow split-tunneling (what you described).

 

[seepy83]

I'm looking to bypass the restrictions enforced by the Cisco VPN client (no local LAN access) in Windows.

Don't you think that policy is there for a reason? It's not something that is inherent of the Cisco client. It's a policy that's set by your network administrators.

 

[Emulex]

heh i read his message as he didn't want to pay for the cisco vpn client. my bad.

 

[Nothinman]

And open the company network to any bugs/worms you may have? Don't do it. Nobody worth an ounce of security would allow split-tunneling (what you described).

I never bought into that aspect of it. All disallowing split-tunneling does is slow down my job because you're forcing me to browse and everything through the tunnel and your connection instead of my own. If I've got a bug/worm on my PC then my VPN connection to your network already opens you up to propagation.

heh i read his message as he didn't want to pay for the cisco vpn client. my bad.

AFAIK Cisco has never charged for their "classic" IPSec client or the AnyConnect client because they get their money from the licensing on the ASA.

 

[seepy83]

I never bought into that aspect of it. All disallowing split-tunneling does is slow down my job because you're forcing me to browse and everything through the tunnel and your connection instead of my own. If I've got a bug/worm on my PC then my VPN connection to your network already opens you up to propagation.

Not necessarily true, because the corporate network probably has security at the edge of the network that can detect malware that a home network couldn't.

 

[Nothinman]

Not necessarily true, because the corporate network probably has security at the edge of the network that can detect malware that a home network couldn't.

If the border will block it anyway why bother not allowing split-tunneling?

 

[spidey07]

If the border will block it anyway why bother not allowing split-tunneling?

Because it's better to have 3 fences than one.

This best practice didn't come out of thin air. Its a response to known cases.

 

[theevilsharpie]

Because it's better to have 3 fences than one.

This best practice didn't come out of thin air. Its a response to known cases.

What a crock.

By requiring all Internet traffic to pass through the corporate gateway, you're "gaining" an imaginary security benefit and risking the very real possibility that remote users will inadvertently overwhelm your WAN connection with Internet-bound traffic.

There are benefits to disallowing split tunneling, but security isn't one of them.

 

[Nothinman]

Because it's better to have 3 fences than one.

This best practice didn't come out of thin air. Its a response to known cases.

Can you cite one or two of those known cases?

 

[spidey07]

Can you cite one or two of those known cases?

MSblaster and nimda were the big ones that forced VPNs to consider the source untrusted until verfied and part of the countermeasures were no split tunneling, enforcing company personal firewall policies and anti-virus were correct before letting clients in.

 

[Nothinman]

MSblaster and nimda were the big ones that forced VPNs to consider the source untrusted until verfied and part of the countermeasures were no split tunneling, enforcing company personal firewall policies and anti-virus were correct before letting clients in.

If I remember correctly, both of those propagated on their own so if I was already infected and I connect to your VPN then it's going to attempt to infect servers on your network regardless of whether I have Internet connectivity out my connection or yours.

 

[spidey07]

If I remember correctly, both of those propagated on their own so if I was already infected and I connect to your VPN then it's going to attempt to infect servers on your network regardless of whether I have Internet connectivity out my connection or yours.

Then there's the aspect of bots and remote control. If you have split tunneling an intruder could use your machine to get into the internal network. There is just no sound reason to allow a 100s/10s of thousands of little gateways to the internet to attach to your network.

 

[theevilsharpie]

Then there's the aspect of bots and remote control. If you have split tunneling an intruder could use your machine to get into the internal network. There is just no sound reason to allow a 100s/10s of thousands of little gateways to the internet to attach to your network.

Anyone that cares about security enough to worry about unauthorized remote control will already have a network access control policy in place verifying that the VPN client has appropriate endpoint protection software installed, configured and updated before that client can connect to the internal network. The smart admins will also treat VPN traffic as untrusted and monitor VPN traffic for malware and intrusion attempts.

 

[yinan]

if you actually want an easy way around this, install the VPN client in a VM and not your desktop.

 

[Nothinman]

Then there's the aspect of bots and remote control. If you have split tunneling an intruder could use your machine to get into the internal network. There is just no sound reason to allow a 100s/10s of thousands of little gateways to the internet to attach to your network.

Frankly that just sounds like hand-waving. I understand the ideas behind defense in depth, security in layers, etc but if the PC has been compromised you shouldn't let it on the VPN at all. Or better yet, you shouldn't be giving users VPN access. Instead they should be coming in via a tightly controlled, known good system like TS, Citrix, etc with 2 factor authentication.

 

[RadiclDreamer]

If your admin wanted split tunneling then he/she would have enabled it, no one here is going to tell you how to get past it. Sorry to come off as harsh, but we are not in the business of making more problems for our fellow IT workers.

 

[LokutusofBorg]

Thanks Nothinman and others that have made the point that this is just security theater. There is *no* credible threat that is protected against by disallowing split tunneling. Anything that could exploit a VPN connection by bridging a connection on a peer computer that's connected to that VPN with split tunneling enabled, would have already infected that peer computer. It's a sham. Sorry to be so harsh.

 

[m1ldslide1]

Thanks Nothinman and others that have made the point that this is just security theater. There is *no* credible threat that is protected against by disallowing split tunneling. Anything that could exploit a VPN connection by bridging a connection on a peer computer that's connected to that VPN with split tunneling enabled, would have already infected that peer computer. It's a sham. Sorry to be so harsh.

Disagree with it just being security theater. The biggest threat vector ATM is web 2.0 based malware - flash, java, etc targeting mostly unpatched systems. This is stuff that can be mitigated with corporate web scanning solutions, that you won't have on your home PC and network. So if you're using a split-tunnel you're exposed to that stuff. Then when you attempt to access systems on the corporate network you will potentially be exposing those systems (or your credentials) to the crap that you've just exposed yourself to.

Agree with someone else that NAC / posture assessment is an important piece of the strategy as well; as is monitoring inbound traffic with IPS and logging. But having only full-tunnel access is an important component to helping prevent issues in the first place (layered security and all that).

A network / security admin has to remember that they have all kinds of users with varying degrees of security consciousness. While some power users such as yourself may be diligent in patching and avoiding ukranian pr0n sites, many other users with access are not. You must always be on the watch for the lowest common denominator... I'm speaking from experience.

 

[Nothinman]

A network / security admin has to remember that they have all kinds of users with varying degrees of security consciousness. While some power users such as yourself may be diligent in patching and avoiding ukranian pr0n sites, many other users with access are not. You must always be on the watch for the lowest common denominator... I'm speaking from experience.

Which is why you don't even give them VPN as an option if you're that concerned about your users' activities on their personal devices. Do you let them bring in their personal laptop and put it on the network? If not, then why let them do it via VPN?

 

[Jamsan]

Frankly that just sounds like hand-waving. I understand the ideas behind defense in depth, security in layers, etc but if the PC has been compromised you shouldn't let it on the VPN at all. Or better yet, you shouldn't be giving users VPN access. Instead they should be coming in via a tightly controlled, known good system like TS, Citrix, etc with 2 factor authentication.

And the last thing you need is someone's home PC infected up the ass connected to your TS/Citrix farm, armed with a key logger/screen scraper getting everything they are doing. Yes, 2FA will stop them from getting in at a later time, but at that point, your information is already out in the wild.

 

[LokutusofBorg]

All of you defending against split-tunneling are conveniently side-stepping the fact that when a machine is *not* connected to the VPN it is vulnerable to all the threats you're saying full tunneling protects against. Which then when that machine does connect to the VPN then the corporate network is just as exposed (if not moreso).

The *only* thing not allowing split tunneling protects against are very specific threats that are able to exploit a peer computer *when* it's connected to the VPN and bridge the connection. If this is a possible attack vector, then it's completely assinine to presume that 1) a machine vulnerable to this kind of attack isn't also (even more) vulnerable to outright infection and 2) the malware capable of performing this kind of attack isn't also (even more) capable of outright infecting the target computer.

It's a sham, there's no way around it.