Connect to Cisco VPN without Cisco client?

[seepy83]

All of you defending against split-tunneling are conveniently side-stepping the fact that when a machine is *not* connected to the VPN it is vulnerable to all the threats you're saying full tunneling protects against. Which then when that machine does connect to the VPN then the corporate network is just as exposed (if not moreso).

The *only* thing not allowing split tunneling protects against are very specific threats that are able to exploit a peer computer *when* it's connected to the VPN and bridge the connection. If this is a possible attack vector, then it's completely assinine to presume that 1) a machine vulnerable to this kind of attack isn't also (even more) vulnerable to outright infection and 2) the malware capable of performing this kind of attack isn't also (even more) capable of outright infecting the target computer.

It's a sham, there's no way around it.

It's not a sham. You're just not an information security professional, so you're not properly educated to understand the big picture of security policies. Disallowing split tunneling is a way to mitigate specific risks to the network. That is a fact, and you cannot deny it. When you're the person who has the responsibility to define security policies for an organization, you can perform your own assessment and determine if mitigating those specific risks is an important part of your strategy. If you decide not to take that precaution, and your network suffers a breach because of it, then it's your head that's going to roll for it.

Information Security professionals don't just make this shit up as they go along to make life difficult for you.

 

[Fardringle]

Blocking split tunneling is not put in place to protect the remote client computer from Internet threats (although it can help do so when corporate security software/equipment scan data that the client retrieves from the Internet connection). The primary purpose is to protect the corporate network from infected clients and web based threats through that infected client.

If you really "need" to browse faster on your own connection, do it when you're not connected to the VPN. Besides, if you're attached to the company VPN, you should be working - not surfing...

 

[LokutusofBorg]

You guys aren't even reading... please give me one example of a known threat that is capable of exploiting a split tunnel that isn't also capable of infecting that same computer and attacking through the VPN even with split tunneling disabled.

 

[seepy83]

You guys aren't even reading... please give me one example of a known threat that is capable of exploiting a split tunnel that isn't also capable of infecting that same computer and attacking through the VPN even with split tunneling disabled.

1 - Any worm that would be blocked by firewalls, IPS rules, and other security devices at the network edge (content filters or a/v, for example). Those robust security devices don't exist on home networks. The VPN places the client computer behind those devices on the corporate network. When you allow split tunneling, a worm from some malicious place on the internet now has a backdoor to the corporate network.

2 - Same as above, but replace Worm with Trojan. Now, instead of it being a worm that's wreaking some sort of havoc on your network, it's the guy with the black hat on that can now start probing from the inside instead of needing to break in before he can probe.

 

[LokutusofBorg]

You missed the part where I said it has to be a threat that isn't also capable of infecting the machine and doing it's dirty work as soon as the machine connects to the VPN. Having live control of the infected machine is so outlandish and unlikely as to be a complete non-starter in this argument.

If any VPN-enabled machine is vulnerable to any of these types of attacks while it isn't connected to the VPN then you are just asking for it allowing it to connect to the VPN even with split tunneling disabled and not running all its traffic past your perimeter security.

Come on, seriously...

 

[theevilsharpie]

The VPN places the client computer behind those devices on the corporate network.

If your VPN clients are able to communicate with your internal servers directly without any type of antimalware, IPS, or other related security checks in place, you're doing it wrong.

 

[m1ldslide1]

You missed the part where I said it has to be a threat that isn't also capable of infecting the machine and doing it's dirty work as soon as the machine connects to the VPN. Having live control of the infected machine is so outlandish and unlikely as to be a complete non-starter in this argument.

If any VPN-enabled machine is vulnerable to any of these types of attacks while it isn't connected to the VPN then you are just asking for it allowing it to connect to the VPN even with split tunneling disabled and not running all its traffic past your perimeter security.

Come on, seriously...

I don't think anybody suggested live control, or bridging the infected computer, or any of the other scenarios you're putting up. I'd accuse you of using red herrings to derail the discussion, except that I think you just don't know any better about what you're saying.

For your last question above, if an organization allows personal devices to connect via VPN then it will typically put "perimeter" type security measures in front of these VPN-connected devices. Most of the time an organization will issue employees laptops or smartphones with controlled software patching and admin privs, which when combined with a full-tunnel VPN is a pretty reasonable approach to a secure, remote workforce. That paradigm is changing somewhat to a "bring your own tablet/phone/laptop" environment, which yes has more risks but can be mitigated with technology like NAC, full-tunnels, and perimeter security (IDS/firewall/web security).

 

[LokutusofBorg]

Alright, how then could a split tunnel VPN connection be exploited if it isn't either being bridged (the target computer is allowing traffic coming in through the local LAN to cross over to the VPN) or malware actually on the target computer being controlled live? Don't pull out semantics, I don't care what you call it. Traffic either has to cross over from the local LAN to the VPN, or malware on the machine with access to the VPN has to have somebody interacting with it. All other attack vectors have nothing to do with split tunneling. Nobody in this thread can seem to give a specific example of a verified threat that disabling split tunneling actually protects against.

I never claimed to be all-knowing, and in fact have repeatedly said in this thread that I welcome someone sharing the information that would put me in-the-know regarding this "security" feature. If some piece of malware is capable of exploiting a VPN-connected, split-tunnel-enabled computer then I can guarantee you that same malware would be capable of infecting that same computer when it wasn't connected to a VPN and then doing it's dirty work when the computer connects to the VPN. Please, prove me wrong. Just knowing it's an actual threat would help with the frustration.

It's kind of hard to have an intelligent debate when you guys can't argue the actual point. I've repeated it so many times in this thread it's getting a bit ridiculous for people to continue side-stepping it.

 

[m1ldslide1]

One last shot: The full tunnel protects the user against getting infected in the first place. The split-tunnel itself isn't exploited; its the fact that the user picked up malware from unprotected web surfing and now is accessing work systems over the trusted side of the connection.

 

[spidey07]

One last shot: The full tunnel protects the user against getting infected in the first place. The split-tunnel itself isn't exploited; its the fact that the user picked up malware from unprotected web surfing and now is accessing work systems over the trusted side of the connection.

The danger comes from allowing The Internet to have real time interactive access to your systems which is what split-tunneling allows and why it is always to be avoided.

 

[LokutusofBorg]

One last shot: The full tunnel protects the user against getting infected in the first place. The split-tunnel itself isn't exploited; its the fact that the user picked up malware from unprotected web surfing and now is accessing work systems over the trusted side of the connection.

You're making my point for me here... As soon as I disconnect from a "protected" VPN and surf the Internet or hit my home network I am exposed. Disabling split tunneling does not protect against anything here. The VPN has to assume that the connecting machines may have connected to other networks at some point. I can't believe you'd make a statement like this shortly after accusing me of not knowing what I am talking about...

The danger comes from allowing The Internet to have real time interactive access to your systems which is what split-tunneling allows and why it is always to be avoided.

Yet another "'somebody' says it's good security, therefore anybody that's 'serious' about security will use it" response that includes nothing specific. I think around 15 previous posts in this thread already beat you to this. Did you even read the thread?


Not one of you can actually cite a known threat that can exploit a split tunnel (but is also *not* capable of infecting the same machine when it disconnects from the VPN)?

 

[spidey07]

I mentioned it specifically - real time interactive access from an attacker who would use your machine as a gateway. That would be very difficult or unlikely to happen if your machine didn't have access to the internet at the same time as the VPN or if you were on the internal network.

 

[LokutusofBorg]

Having live control of the infected machine is so outlandish and unlikely as to be a complete non-starter in this argument.

I worded this slightly wrong, but I meant a live attacker, as opposed to a software based attack...

I don't think anybody suggested live control, or bridging the infected computer, or any of the other scenarios you're putting up. I'd accuse you of using red herrings to derail the discussion, except that I think you just don't know any better about what you're saying.

I mentioned it specifically - real time interactive access from an attacker who would use your machine as a gateway.

I think people are either being obtuse on purpose at this point, or you're not actually reading the thread as I said before. When I have to keep repeating myself because people are ignoring what I've said already, then it's pretty clear you're not engaging in an intelligent debate.

 

[m1ldslide1]

You're making my point for me here... As soon as I disconnect from a "protected" VPN and surf the Internet or hit my home network I am exposed. Disabling split tunneling does not protect against anything here. The VPN has to assume that the connecting machines may have connected to other networks at some point. I can't believe you'd make a statement like this shortly after accusing me of not knowing what I am talking about...

...Which is why said enterprise would consider using a NAC + IPS + etc solution on these remotely connecting hosts, or go further and use an always-on type of VPN solution (like anyconnect) that prevents these systems from ever getting open access to the Internet. Again (and again, and again) the full tunnel is simply another important component of a security strategy for remote workers.

Spidey may have experience with a remote-controlled machine, and I've certainly heard of it, but my concerns would lie moreso with key loggers and other types of malware that would indirectly exploit the split-tunnel. Either way the strategy remains the same.

 

[LokutusofBorg]

Again (and again, and again) the full tunnel is simply another important component of a security strategy for remote workers.

Yet you can't say why. Every threat vector should be protected against using other means, and split tunneling is just piled on top in religious devotion to "best practices". I think you've made yourself clear, so you don't need to repeat yourself again (and again...).