Vpn

[Pantlegz]

I'm sure I'm over looking something stupid, yet again. But users connected to our VPN aren't able to access the internet, which would be nice. Do I have to enable split tunneling or what am I over looking? I'm able to connect and get any network resources without issues.

 

[theevilsharpie]

They're probably attempting to route their Internet traffic through the corporate network and getting blocked by an upstream firewall/content filter. Their local subnet may also be overlapping with your corporate subnet.

Enable split-tunneling support (if your organization's security policy permits) and call it a day.

 

[Pantlegz]

I really didn't want to enable split tunneling, just due to the security risks involved even though not many people would be using it. I did figure it out tho, something dumb of course. Forgot to nat (outside) the VPN pool.

 

[theevilsharpie]

I really didn't want to enable split tunneling, just due to the security risks involved even though not many people would be using it. I did figure it out tho, something dumb of course. Forgot to nat (outside) the VPN pool.

Allowing machines that are outside of your administrative influence to connect to your internal network is already a huge security risk.

 

[Jamsan]

Allowing machines that are outside of your administrative influence to connect to your internal network is already a huge security risk.

What in his post made it seem the machines are outside of his administrative influence?

 

[theevilsharpie]

What in his post made it seem the machines are outside of his administrative influence?

The word VPN.

 

[Nothinman]

I really didn't want to enable split tunneling, just due to the security risks involved even though not many people would be using it. I did figure it out tho, something dumb of course. Forgot to nat (outside) the VPN pool.

All you're doing is forcing them to download whatever bad bits of software before connecting to your VPN. Once they've connected to your VPN you've already exposed yourself to whatever's on their machine.

 

[jlazzaro]

All you're doing is forcing them to download whatever bad bits of software before connecting to your VPN. Once they've connected to your VPN you've already exposed yourself to whatever's on their machine.

not really the point...split tunneling enables dual-homing of the remote client on both the internal network and the Internet at the same time

 

[Nothinman]

not really the point...split tunneling enables dual-homing of the remote client on both the internal network and the Internet at the same time

I understand what split tunneling does, but I still have yet to hear a real reason for disabling it. All anyone ever does is a bunch of hand waiving while screaming "Security!" at the top of their lungs.

If my machine has malware on it, it's got malware on it and disabling my Internet access for the small amount of time I'm on your VPN won't change that. As soon as I connect to your VPN that malware has the exact same chance of spreading to your systems. If I want to post your data to the Internet all I have to do is copy it to my PC, disconnect from the VPN and then post it wherever I want. All disabling split tunneling does is make me jump through hoops to do my job.

 

[Pheran]

I understand what split tunneling does, but I still have yet to hear a real reason for disabling it. All anyone ever does is a bunch of hand waiving while screaming "Security!" at the top of their lungs.

If my machine has malware on it, it's got malware on it and disabling my Internet access for the small amount of time I'm on your VPN won't change that. As soon as I connect to your VPN that malware has the exact same chance of spreading to your systems. If I want to post your data to the Internet all I have to do is copy it to my PC, disconnect from the VPN and then post it wherever I want. All disabling split tunneling does is make me jump through hoops to do my job.

Full tunneling is a good thing because the traffic from malware that is periodically beaconing to command and control servers on the Internet will come through the enterprise infrastructure, where it can be detected and/or filtered. We have detected compromised employee laptops in exactly this way; in some cases the malware wasn't detected by AV at all. This also prevents an attacker with a botted machine from getting real-time control over a tunnel into your network (though the malware can still do bad things autonomously).

Why are you "jumping through hoops?" Full tunnel does not imply there is no Internet access (though it could be configured that way). Our users can still make use of our filtering proxy for Internet access while on full tunnel. In fact this is completely transparent to them; they don't have to do anything special.

 

[theevilsharpie]

Why are you "jumping through hoops?" Full tunnel does not imply there is no Internet access (though it could be configured that way). Our users can still make use of our filtering proxy for Internet access while on full tunnel. In fact this is completely transparent to them; they don't have to do anything special.

A lot of consumer connections these days are fully capable of saturating the typical business connection. Indeed, all it takes is three or four FiOS users watching Hulu or downloading shit to suck up an entire T3. By forcing full tunneling, you are trading the unlikely chance of detecting botnet communication from the client machine for the much more likely chance of an inadvertent DoS.

"But wait!," you say. "I block Hulu and other bandwidth intensive application, and I perform traffic shaping that prevents such bandwidth utilization."

Well, if you block traffic or throttle bandwidth, it's no longer transparent, and users have to start jumping through hoops.

 

[Nothinman]

Full tunneling is a good thing because the traffic from malware that is periodically beaconing to command and control servers on the Internet will come through the enterprise infrastructure, where it can be detected and/or filtered. We have detected compromised employee laptops in exactly this way; in some cases the malware wasn't detected by AV at all. This also prevents an attacker with a botted machine from getting real-time control over a tunnel into your network (though the malware can still do bad things autonomously).

Maybe, but that depends heavily on how the malware works and I wouldn't consider that reliable at all. All the malware has to do is connect over 443 (you do allow HTTPS, right?) and it'll get through just fine.

Why are you "jumping through hoops?" Full tunnel does not imply there is no Internet access (though it could be configured that way). Our users can still make use of our filtering proxy for Internet access while on full tunnel. In fact this is completely transparent to them; they don't have to do anything special.

Because it's fucking terrible. I'm either browsing through your connection via the VPN which will be terribly latent or it's disabled completely. It's always going to be way quicker for me to use my local cable connection. Forcing me to browse through your proxy when I'm just going to be doing it locally before and after serves no purpose.

 

[imagoon]

A lot of consumer connections these days are fully capable of saturating the typical business connection. Indeed, all it takes is three or four FiOS users watching Hulu or downloading shit to suck up an entire T3. By forcing full tunneling, you are trading the unlikely chance of detecting botnet communication from the client machine for the much more likely chance of an inadvertent DoS.

"But wait!," you say. "I block Hulu and other bandwidth intensive application, and I perform traffic shaping that prevents such bandwidth utilization."

Well, if you block traffic or throttle bandwidth, it's no longer transparent, and users have to start jumping through hoops.

Easy solution: Users should not use their work PC's for personal use. We deployed the 'client' for our filtering to the machines themselves for this reason. We were tired of the porn / virus / malware issues from users going home and or traveling. It caused a lot of complaining but after 2 weeks it was just accepted. If you want to watch Hulu... do it on your own gear. Don't go off and get infected with something then come and toss that "piece of crap infected machine" on my lap. Also, people seem to think that anything that happens is my problems so their "stupid level" increases drastically. IE they won't got to "superporn.com" on their home machine because it may steal their identity but they will on a work machine because hey, "That is IT's problem!"

 

[theevilsharpie]

Easy solution: Users should not use their work PC's for personal use.

If only it were that easy.

What do you do if the PC that's connecting is the user's personal computer?
What do you do if the user is outside the reach of IT's sanctions (execs, C-level types, etc.)?
What do you do if the user is an employee of a partner organization that doesn't fall under your administrative control?

 

[imagoon]

What do you do if the PC that's connecting is the user's personal computer?

We deny the machine's connection at the VPN device.

What do you do if the user is outside the reach of IT's sanctions (execs, C-level types, etc.)?

We deny the machine's connection at the VPN device.

What do you do if the user is an employee of a partner organization that doesn't fall under your administrative control?


We issue them a company laptop.

 

[spidey07]

If only it were that easy.

What do you do if the PC that's connecting is the user's personal computer?
What do you do if the user is outside the reach of IT's sanctions (execs, C-level types, etc.)?
What do you do if the user is an employee of a partner organization that doesn't fall under your administrative control?

Those are simply not allowed to connect. If it's a partner then they connect to a separate partner VPN that only allows them access to the partner DMZ.

 

[mvbighead]

From a recent experience, allowing any of our users to use their own internet connection is simply a recipe for disaster. And this includes not being on the VPN. We have a group of 50 or more agents (call center environment) who simply use their work computers for personal use, and when they screw up the box... it's our IT staff's problem.

We're now to the point where the PAC file being used not only sends their traffic to our proxy, but if their IP address doesn't fall within our scope (either VPN or internal), we send any web traffic to be proxied by their own machine to basically go nowhere. They have access to the exclusions we've made around the proxy, and nothing else. Personally, I'd like to make this change building wide, because, outside of IT primarily, most people have 0 clue when it comes to avoiding Phishing/malware filled content. And, mind you, none of these people have admin rights, and the viruses are simply infecting User content and other the user privileged paths... which, in the end, still consumes IT's time and efforts.

 

[pookie2132]

Nac.