• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Using split tunneling safely?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Using split tunneling safely? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Using split tunneling safely? - 5.Jan.2009 12:02:33 PM   
gbarnas

 

Posts: 155
Joined: 27.Apr.2005
From: New Jersey
Status: offline
I have a challenge that should be solved by split tunneling - I want to be sure I implement it safely.

Our local network configuration consists of two ISA firewalls in a back to back configuration. The VPN gateway is terminated on the back firewall. The back firewall has 4 interfaces - Servers, Workstations, Perimeter, and VoIP. We have specific rules limiting access between the internal subnets, as well as to the Perimeter.

I have a user on the Workstations subnet that must use a VPN connection to a remote office that we support. That office is also protected by an ISA firewall. Since the remote office is not part of our company, we do not have a site-site connection (although this is under discussion and implementing it would resolve the current challenge).

At this time, the user in my office needs to use the VPN to make an RDP connection to a workstation on the remote network. She needs to use a printer at the local office, but since the print server is on the Servers subnet it is unreachable while the VPN is active.

I know that enabling split tunneling will resolve the issue and allow her to print while on the VPN. I'm pretty sure that this is one of the situations where split tunneling is appropriate - I really just need to be sure I'm not missing anything. (BTW - We manage the network and ISA firewall at the remote site, so I'm reasonably sure of it's security.)

Thanks,

Glenn
Post #: 1
RE: Using split tunneling safely? - 5.Jan.2009 12:44:07 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Do you plan to enable split tunnelling for just this one user or everyone?

Do other people use the same VPN from external untrusted networks?

How do you configure the VPN clients, by CMAK?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to gbarnas)
Post #: 2
RE: Using split tunneling safely? - 5.Jan.2009 12:49:10 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Funny though, I was thinking to put an explanation about split-tunneling in general on my blog(without giving names, just to make sure no one will get upset), just feeling lazy.

Is that workstation using the Windows VPN client ?
If so(as the remote office is "protected by an ISA firewall"):
- simply put: by checking the "Use default gateway on the remote..." setting on the VPN client you do not enable "pure" split-tunneling.
- actually, by default the Windows VPN clients fall into a form which some may consider "split tunneling".
As I'm still feeling lazy, right now, the most "secure" and easy thing you can do, at least from what you've posted, is to manually go to that workstation and add a permanent route with the metric 1 for your needed destination. That would cause the traffic to the specified destination to not be sent over the VPN tunnel, while the "Use default gateway on the remote..." setting stays checked on the VPN client.
And the folks at the remote office, can sleep well, knowing that you did not unchecked that setting, although you may do that, at least from your point of view, as you own the local subnets, thus secured them appropiately(didn't you ?).

If using a non-Windows VPN solution(server and client), things may look different, much different.

If you want to shake me from my laziness state, just say...

Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to gbarnas)
Post #: 3
RE: Using split tunneling safely? - 5.Jan.2009 1:20:40 PM   
gbarnas

 

Posts: 155
Joined: 27.Apr.2005
From: New Jersey
Status: offline
Jason:
It's just this one user, from a dedicated PC where I can control the settings. The PC does not VPN to any other site.
I have a VPN connection to the remote site on my workstation, and am the only other user with that connection, but I don't need access to the printer since my role is network support, not application support.
These two connections are configured manually, since there are only the two of us that currently need them.

Adrian,
The clients are XP (hers) and Vista (mine) and use standard MS PPTP connections. I considered adding the static route to the servers subnet on her PC, but since this VPN client connection is temporary (a few more weeks at most), I prefer using the local gateway (split tunnel)  as no PC-specific settings will remain when the VPN connection is deleted.

Thanks,

Glenn

(in reply to Jason Jones)
Post #: 4
RE: Using split tunneling safely? - 5.Jan.2009 3:51:11 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
The trick is within the routing table, at least from Windows VPN clients' point of view.
What you want to do falls into the category of "controlled" split tunneling. Ideally, you want this level of control on the server side per user/group.

Users need admin rights to mangle the routing table, that's why you should not use CMAK to solve the routing issues, as an issue is not solved at the expense of the creation of a security issue(maybe that's why Jason asked you about CMAK).

There is a limitation in respect with the options passed by the VPN server through IPCP, and from here the fun begins. You can pass routes through DHCP Option 249, which works great(although there is an unless here too), without the need of admin rights, solving even the same subnet problem without the expense of the security issue introduced by CMAK.
But this do not fit your scenario.

Note that when you uncheck the "Use the default..." box, you will get a route through the VPN tunnel only for the subnet on which the IP address received by the VPN client belongs(I suppose you know the "cases" of 10.0.0.0/8 or 172.16.0.0/16).

The "pure" split-tunneling occurs when the VPN client is "willing" by a form of "routing" to pass the packets receive on its physical interface over the VPN tunnel to the corpnet behind the VPN server. You do not have to uncheck the "Use the default..." for this to happen. Read this and this. A host firewall on the client, properly configured may help in this case.

The "normal" split-tunneling occurs when the VPN client access the corpnet over the VPN tunnel, and other destinations directly through its physical adapter, and it is discarding the "incoming" traffic received through its physical adapter "destined" to the corpnet(no form or routing whatsoever is enabled on the client). For this you uncheck the "Use the default..." option. The danger is that(other than the user escaping your content filtering and restrictions), for example the VPN user to connect to a malicious external web site, where an attacker can exploit, say a browser vulnerability that allows him "to remotely execute code" on the VPN client's computer while the user is still connected to the corpnet, resulting in some packets "unwillingly" reaching the corpnet. An ambiguous situation which may have been prevented by blocking split-tunneling.

You may want to control the "level" of split tunneling, that is, to still send all the traffic over the VPN tunnel, except the traffic destined to the local subnet to which the VPN client is directly connected, the default Windows VPN clients behaviour.

Or a deeper level of control, that is, to send over the VPN tunnel the traffic destined to corpnet, while specifying which destination are allowed to be accessed directly by the VPN user through the physical interface.

The most secure configuration is when all traffic is sent over the VPN tunnel, and the traffic sent to the local subnet directly connected to the client's physical interface is blocked. Additionally there is a host firewall installed on the VPN client.

For the moment, the only Microsoft VPN server that gives you some server side control over some of these settings is this. ISA can force with the help of VPN-Q 2006/2008 certain checks over the VPN client's configuration.

......................................................

Coming back to your case, and to your original question, we must say that you do have a certain of "controlled" split tunneling, because you own the local subnets and firewalls, the client is not connecting from a public wireless net.
So in the end, by unchecking the "Use the default gateway..." option, the client will still access what you want to access.
Actually, you even inspect the client's encrypted traffic, as you control the remote VPN server, which happens to be an ISA firewall.
As a matter of fact, if you would have not controlled the remote VPN server, would have been *more* secure for you and your network to enable split-tunneling by unchecking the "Use default gw ....", because the VPN traffic is passing encrypted through your local network firewall, creating the posibility of a tunneling issue, in case the folks on the other end deployed a "relaxed" policy for the VPN clients traffic destined to the Internet, because their VPN server does not allow them granular access per users/groups. A host firewall might have been your only solution to get some control on that client.
Funny, isn't it ?

I've mentioned the route adding possibility because I thought that may be a longer time solution, without the need of creating an s2s for a single user.
The s2s solution would have been the most secure, as you would inspected the traffic on your local network firewall, although at the expense of some additional overhead on the local VPN gateway.

Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to gbarnas)
Post #: 5
RE: Using split tunneling safely? - 5.Jan.2009 5:56:45 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Ouch, my head hurts now!

Great post, as ever Adrian, and some useful info...

Overall I think that this specific situation is a valid use of split tunneling and all seems "well managed" to me...

Cheers
JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to adimcev)
Post #: 6
RE: Using split tunneling safely? - 6.Jan.2009 10:30:14 AM   
gbarnas

 

Posts: 155
Joined: 27.Apr.2005
From: New Jersey
Status: offline
YOUR head??? ;)

I knew that unchecking the "use remote gateway" would work, and had a pretty good idea that this would be secure.. I'm really glad that you guys took the time to explain this, since there are times that it's appropriate. (this being one of them.) Thanks for the great information.

Glenn



(in reply to Jason Jones)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Using split tunneling safely? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts