• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

VPN and internet

L

lsman

Diamond Member
Before I connect the Vista VPN to my office, my internet connection is fast as normal (laptop or desktop off a router off Verizon Fios)

However, once I connect the VPN, my IE, firefox will be very very slow. But within the remote connection session, that remote computer in office has no problem with application and IE or so.

Can there be a way that my internet connection will be through my router / home network, while the remote session and stuff go through the VPN connections?

TIA.
 
I think that is a policy of the VPN profile your're using. You'd have to talk to your work's IT dept.
The VPN profile my company has to use completely disables your internet, so consider yourself lucky!
 
Most likely no. You're asking for split-tunneling which is almost always disabled with a VPN because of the security risk it imposes.

For example if you had a worm/bot/virus on your computer it could accept instructions from the Internet to scan the private network you're attached to. Very bad practice to allow it.
 
spidey07 said:
Most likely no. You're asking for split-tunneling which is almost always disabled with a VPN because of the security risk it imposes.

For example if you had a worm/bot/virus on your computer it could accept instructions from the Internet to scan the private network you're attached to. Very bad practice to allow it.
Click to expand...

If the worm/bot/virus requires direct inbound connections for control then it likely won't work at home or via the VPN because, hopefully, there's no statics setup. If the bot initiates it's own outbound control connection then it'll probably work either way unless the company has egress filtering setup, which IME is extremely rare.

90% of the time disabling split tunneling doesn't help anything and causes more problems for the user than it fixes. I'm just glad I found openconnect, it's a free AnyConnect alternative that doesn't enforce split tunneling policy or that faux-security trojan called Cisco Secure Desktop.
 
Nothinman said:
If the worm/bot/virus requires direct inbound connections for control then it likely won't work at home or via the VPN because, hopefully, there's no statics setup. If the bot initiates it's own outbound control connection then it'll probably work either way unless the company has egress filtering setup, which IME is extremely rare.

90% of the time disabling split tunneling doesn't help anything and causes more problems for the user than it fixes. I'm just glad I found openconnect, it's a free AnyConnect alternative that doesn't enforce split tunneling policy or that faux-security trojan called Cisco Secure Desktop.
Click to expand...

Not true at all. Split tunneling is inherently dangerous for call home bots. It defeats any and all purposes of a "virtual private network".
 
spidey07 said:
Not true at all. Split tunneling is inherently dangerous for call home bots. It defeats any and all purposes of a "virtual private network".
Click to expand...

What I never understood about this is why can't/doesn't the computer see them as two seperate connections and not route stuff between the 2? So VPN traffic would only go to the VPN and internet traffic would only go to the internet... Seems simple enough to me anyway.
 
Pantlegz1 said:
What I never understood about this is why can't/doesn't the computer see them as two seperate connections and not route stuff between the 2? So VPN traffic would only go to the VPN and internet traffic would only go to the internet... Seems simple enough to me anyway.
Click to expand...

That's what split tunneling is and why you don't allow it.
 
spidey07 said:
That's what split tunneling is and why you don't allow it.
Click to expand...

but if traffic isn't going through the VPN why would it matter? as far as the internet is concerned you're still at you house, using your ISP. And as far as your VPN connection is concerned, you're part of it's network. As long as the packets aren't allowed to cross networks, whats the issue?
 
Pantlegz1 said:
but if traffic isn't going through the VPN why would it matter? as far as the internet is concerned you're still at you house, using your ISP. And as far as your VPN connection is concerned, you're part of it's network. As long as the packets aren't allowed to cross networks, whats the issue?
Click to expand...

If you have a virus on the computer, that virus is on both connections, even if the two connections can't normally "see" each other, and a virus that gets instructions from an online master server would then be able to use those instructions to replicate itself on the VPN connection and report those results back to the master on the local unsecured internet connection. It's enough of a risk that any network admin worried about security won't allow the possibility.
 
Yea, I understand that. I always thought there should be a way to make it work tho, I'm not sure how. I'm sure if it were easy it would have been done by now because I'm sure this question has been asked to IT Dept's thousands of times...
 
spidey07 said:
Not true at all. Split tunneling is inherently dangerous for call home bots. It defeats any and all purposes of a "virtual private network".
Click to expand...

Not at all. If I'm on your VPN you already trust my machine to connect to whatever resources you have defined in your interesting traffic. And if that includes the Internet via your VPN, that defeats any security that might be gleaned by disabling split tunneling. Any viruses I may have can infect your machines just fine with or without split tunneling.
 
Nothinman said:
Not at all. If I'm on your VPN you already trust my machine to connect to whatever resources you have defined in your interesting traffic. And if that includes the Internet via your VPN, that defeats any security that might be gleaned by disabling split tunneling. Any viruses I may have can infect your machines just fine with or without split tunneling.
Click to expand...

Your internet traffic sent through the VPN goes through other scrubbers and detection/prevention devices you don't have at home. I can't trust your machine if it has another connection/path.
 
Your internet traffic becomes slower when you connect to the VPN because browsing is also being routed through the VPN while you are connected to it.

However, there is a way around it...

You can run an instance of VirtualBox/VirtualPC/VMWare and then bind the virtual machine to the desired network adapter (VPN in your case). Then anything you do inside that virtual machine will happen on the VPN, leaving the rest of your machine still connected to your LAN.

Here is a link to a pre-installed disk image provided by Microsoft. It is a fully contained copy of Windows that is intended to allow you to test out Internet Explorer (for a limited amount of time - 120 days I think). Once downloaded, you can duplicate the disk image and run a "copy" of it, then dispose of the image after the 120-day clock runs out if you like. (I think the clock starts when you "boot" it for the first time)

Simply use the virtualized OS to connect to your office VPN, and the rest of your PC should continue working on your LAN as desired.

http://www.microsoft.com/downloads/...90-958f-4b64-b5f1-73d0a413c8ef&displaylang=en

http://www.microsoft.com/windows/virtual-pc/support/virtual-pc-2007.aspx

http://www.virtualbox.org/

As seen above, this type of thing can create a security issue, which may or may not be acceptable with your employer. So, you should definitely seek approval from your employer or systems/network admin before attempting this on a computer at work.

Good luck!
 
Last edited:
spidey07 said:
Your internet traffic sent through the VPN goes through other scrubbers and detection/prevention devices you don't have at home. I can't trust your machine if it has another connection/path.
Click to expand...

In the cases that concern our clients, even most of our bigger corporate clients, no it doesn't. And you trust my machine just by letting me on your network via VPN, you can't have it both ways. If I can establish a tunnel, I can cause you problems and most of them don't require any kind of local network or Internet connectivity. The only thing it really accomplishes is the wasting of my time and your bandwidth.
 
make sure your mtu is correct.

you can change the default route to the vpn ; to your internet connection. throw some manual routes in place for the vpn wan to make sure traffic goes that way.

if your machine is pwned; vpn or split it is already a threat to the work network.
 
Nothinman said:
In the cases that concern our clients, even most of our bigger corporate clients, no it doesn't. And you trust my machine just by letting me on your network via VPN, you can't have it both ways. If I can establish a tunnel, I can cause you problems and most of them don't require any kind of local network or Internet connectivity. The only thing it really accomplishes is the wasting of my time and your bandwidth.
Click to expand...

And this is why I'm paid to clean up companies bad decisions. Thank you for your business.
 
Emulex said:
if your machine is pwned; vpn or split it is already a threat to the work network.
Click to expand...

This. There are plenty of ways to get around restrictions on split tunneling, so I don't even bother trying to stop it. I simply treat the internal network as untrusted and configure internal host security software accordingly. It's worked well to keep internal resources protected from compromised machines, and as an added bonus, bandwidth usage is lower.

Perimeter security was sufficient ten years ago, but if it's all you've got today, you've already lost.
 
Nothinman said:
There's no cleanup to be done if your internal network is properly managed...
Click to expand...

Checks and security appliances are nice, but I'd rather be safe than sorry. In this case I have to agree on not using split tunneling. Disconnect from your vpn if you want to surf.
 
RadiclDreamer said:
Checks and security appliances are nice, but I'd rather be safe than sorry. In this case I have to agree on not using split tunneling. Disconnect from your vpn if you want to surf.
Click to expand...

But you're no safer with split tunneling disabled, it doesn't add any real protection. All you're doing is changing the timing of the attack. Whether I get infected with the tunnel established or not is irrelevant. If my machine is infected with something it's going to make it over the tunnel eventually.

If you give me access to your network via VPN you have to trust my machine to some extent, there's no way around that. Forcing me to browse via the tunnel just makes my life more difficult and wastes your bandwidth.
 
Last edited:
if you connect a gigabit network to your laptop after you vpn - would the default route choose the wired network due to metric?
 
Nothinman said:
But you're no safer with split tunneling disabled, it doesn't add any real protection. All you're doing is changing the timing of the attack. Whether I get infected with the tunnel established or not is irrelevant. If my machine is infected with something it's going to make it over the tunnel eventually.

If you give me access to your network via VPN you have to trust my machine to some extent, there's no way around that. Forcing me to browse via the tunnel just makes my life more difficult and wastes your bandwidth.
Click to expand...

That's assuming that there is no NAC software in place to verify the integrity of the laptop before placing it on the network.

Disabling split tunnelling is not a solution for all security threats. There is no single solution that will keep a network safe. The idea is to find a combination of solutions that limits the number of attack vectors.

Maybe disabling split tunneling wouldn't be a benefit if there is no Gateway Antivirus/Content Filtering on the internal network, but even that statement is probably a stretch.
 
seepy83 said:
That's assuming that there is no NAC software in place to verify the integrity of the laptop before placing it on the network.

Disabling split tunnelling is not a solution for all security threats. There is no single solution that will keep a network safe. The idea is to find a combination of solutions that limits the number of attack vectors.

Maybe disabling split tunneling wouldn't be a benefit if there is no Gateway Antivirus/Content Filtering on the internal network, but even that statement is probably a stretch.
Click to expand...

Using NAC is one thing, but if my machine passes the NAC tests there's list to no point in disabling split tunneling. If I'm going to click on some virus that your machines are vulnerable to, I'm going to click on it regardless. All you're doing is changing the timing of the attack. Making me disconnect to get infected and then reconnect to infect you. The attack itself will still happen.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top