Nothinman
Elite Member
- Sep 14, 2001
- 30,672
- 0
- 0
That's the typical answer I get whenever I ask why. Lots of hand waving with little real-world examples.
m1ldslide1
Platinum Member
- Feb 20, 2006
- 2,321
- 0
- 0
In my experience a best-practice teleworker/soho design would be to carve out a large private address block and assign each user a /26 or smaller, then bring up a site-to-site IPSec VPN back to campus using something like DMVPN if possible. With this you can do a full-tunnel and bring all web traffic back to enterprise security appliances, or you can do split-tunnel by NAT'ing on the WAN interface. I agree that security issues arise from split-tunnel, but there are cloud services like ScanSafe that allow you to redirect all web traffic to a remote anti-malware service without taxing the bandwidth to campus or security resources located there. I agree that anti-malware services have limitations, especially with emerging threats, but when reputation-based filters are integrated it dramatically reduces the threat of zero-day since most of that crap is hosted from the same notorious net blocks.
Really not that hard... Allowing all of your users to use 192.168.1.0 or similar seems very strange and those network designers need a good talking-to.
Really not that hard... Allowing all of your users to use 192.168.1.0 or similar seems very strange and those network designers need a good talking-to.
m1ldslide1
Platinum Member
- Feb 20, 2006
- 2,321
- 0
- 0
That's a bold statement.
Advantages of split tunneling:
Less bandwidth consumed at expensive campus Internet uplinks
Fewer resources consumed on enterprise security appliances like IPS, web security, and firewalls
Less load on VPN terminating router/firewall (fewer packets to encrypt/decrypt)
Disadvantage of split tunneling:
Security risk (can be mitigated at least partially with cloud-based services)
???
So you REALLY don't think that some enterprises might find this a worthwhile tradeoff?
Railgun
Golden Member
- Mar 27, 2010
- 1,289
- 2
- 81
Not that this thread has gone ot enough already, just a couple of points...
No, RIPE hasn't run out of IPs. Just being selective with assignments and need to be an LIR/member. Somewhat costly but very easy. Exactly what I've done.
As for the split tunneling argument...
One, a good policy should NOT allow users' home PCs to connect. That's just asking for problems. Only devices that should connect are corporate owned and managed devices. Period.
Two, productivity should not be affected as a good security policy would dictate a user would not have any files, applications, etc relating to the company anywhere other than on the device itself or on company managed storage. Where do breaches in security come from mostly? Oh yeah, employees.
Three, if you have some other pc on a user's network infected, it cannot get into your network, assuming that pc isn't infected already. The hope is you have a good AV policy to address that.
Four, bandwidth should not be a concern. If your making compromises to security because you don't have a big enough pipe, then you need to rethink your strategy, or fire your information security folks. Either disallow that traffic on your VPN policy, get a sufficient pipe, or if you absolutely need to do it, create your policy similar to your internal policy (assuming you restrict website access) and only allow access to their local Internet pipe with the same restrictions (controlled by whatever soft FW you may use).
Five, every VPN environment should be DMZ'd. Whether on the appliance itself or some FW/UTM behind the termination point, in no way should outside connectivity not be monitored, controlled or otherwise have some ability to know what the traffic is before it gets inside any further where it may possibly do damage.
The only reason to allow it is for convenience. Nothing more.
Argue for it all you want, but it's a huge risk. Maybe your company can take that risk, most cannot.
No, RIPE hasn't run out of IPs. Just being selective with assignments and need to be an LIR/member. Somewhat costly but very easy. Exactly what I've done.
As for the split tunneling argument...
One, a good policy should NOT allow users' home PCs to connect. That's just asking for problems. Only devices that should connect are corporate owned and managed devices. Period.
Two, productivity should not be affected as a good security policy would dictate a user would not have any files, applications, etc relating to the company anywhere other than on the device itself or on company managed storage. Where do breaches in security come from mostly? Oh yeah, employees.
Three, if you have some other pc on a user's network infected, it cannot get into your network, assuming that pc isn't infected already. The hope is you have a good AV policy to address that.
Four, bandwidth should not be a concern. If your making compromises to security because you don't have a big enough pipe, then you need to rethink your strategy, or fire your information security folks. Either disallow that traffic on your VPN policy, get a sufficient pipe, or if you absolutely need to do it, create your policy similar to your internal policy (assuming you restrict website access) and only allow access to their local Internet pipe with the same restrictions (controlled by whatever soft FW you may use).
Five, every VPN environment should be DMZ'd. Whether on the appliance itself or some FW/UTM behind the termination point, in no way should outside connectivity not be monitored, controlled or otherwise have some ability to know what the traffic is before it gets inside any further where it may possibly do damage.
The only reason to allow it is for convenience. Nothing more.
Argue for it all you want, but it's a huge risk. Maybe your company can take that risk, most cannot.
Last edited:
Disagree. Split tunnelling is a trade-off. The only thing that's bad is not understanding the choice you're making.
Seeing a lot of incorrect arguments in this thread.
While RIPE is doing its thing, the UK Government is apparently sitting on an unused block of 16 million IP Addresses.
Article
Uno
There are many places we can find addresses to reclaim and return to the pool. For example,
Huge legacy allocations that can be carved up and partially returned
Sites with big allocations who can easily move much of it to behind a PAT (or already have but never gave the space back)
SEO hosts with big IP address wastage, who should be tarred and feathered
SSL hosts who used to need one IP per FQDN, who can move to SNI
Allocations to companies who don't even exist anymore
We can buy a few years from steps like these. Then life will get painful.
Huge legacy allocations that can be carved up and partially returned
Sites with big allocations who can easily move much of it to behind a PAT (or already have but never gave the space back)
SEO hosts with big IP address wastage, who should be tarred and feathered
SSL hosts who used to need one IP per FQDN, who can move to SNI
Allocations to companies who don't even exist anymore
We can buy a few years from steps like these. Then life will get painful.
its all a big cry for nothing. we had the same tv broadcast technology for like 70 years and then when we felt like it, bam everything switched. i know flatscreen tv's helped that push, but the pc market is still overturning every few years. before we need ipv6, everyone will already have it.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 392
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
Facebook
Twitter