| Author |
Two different networks, one computer ,one vpn
|
|
| rashidaq@gmail.com 2005-10-24, 9:35 am |
| I have this problem with this vpn access
I am using vpn access to login into a customersite
using cisco vpn client
when I do that I lose my company's outlook email so I have
to wait to logoff to get my company's email and then logon back to the
customer using vpn
I am using Windows XP pro with one network card.
It seems to get dns and default router once I login
to the customer site.
At company site I dont use vpn I just get DHCP
IP and I am into my outlook and internet.
What more frustrating, is once I am vpn'd into customersite
for twenty hours I cant access the internet.
thanks in advance, help ..
Rash
| |
| marcial_colomer 2005-10-24, 9:35 am |
| Hi,
You have to setup split tunneling on your concentrator.
marcial.colomer at gmail
rashidaq@gmail.com ha escrito:
> I have this problem with this vpn access
>
> I am using vpn access to login into a customersite
> using cisco vpn client
> when I do that I lose my company's outlook email so I have
> to wait to logoff to get my company's email and then logon back to the
> customer using vpn
>
> I am using Windows XP pro with one network card.
> It seems to get dns and default router once I login
> to the customer site.
>
> At company site I dont use vpn I just get DHCP
> IP and I am into my outlook and internet.
>
> What more frustrating, is once I am vpn'd into customersite
> for twenty hours I cant access the internet.
>
> thanks in advance, help ..
>
> Rash
| |
| rashidaq@gmail.com 2005-10-24, 9:35 am |
| How do you split tunneling on what concentrator ?
Does this mean that I cant do nothing on my computer ?
to make this happen
thanks
marcial_colomer wrote:
> Hi,
>
> You have to setup split tunneling on your concentrator.
>
> marcial.colomer at gmail
>
> rashidaq@gmail.com ha escrito:
>
>
| |
| Ted Nevil 2005-10-25, 5:47 pm |
| rashidaq@gmail.com wrote:
> How do you split tunneling on what concentrator ?
>
> Does this mean that I cant do nothing on my computer ?
> to make this happen
>
Hi
Right, you can't do anything.
Split tunneling must be configured on the vpn concentrator (where you
dial in).
mostly this is disabled for security reason.
| |
| Martin Bodenstedt 2005-10-26, 2:46 am |
| rashidaq@gmail.com schrieb:
> I have this problem with this vpn access
>
> I am using vpn access to login into a customersite
> using cisco vpn client
> when I do that I lose my company's outlook email so I have
> to wait to logoff to get my company's email and then logon back to the
> customer using vpn
That's by design:
Once you have your vpn connection open all traffic goes through that vpn
connection.
What you want is called "split tunneling" and is a security nightmare.
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
| Martin Bodenstedt 2005-10-26, 2:46 am |
| marcial_colomer schrieb:
> You have to setup split tunneling on your concentrator.
But you don't really want to do this (for security reasons):
You customer's network most likely has a very strict internet policy
using a firewall, spam and virus checker - and possibly contains
sensitive data.
Now You open a remote VPN connection to this network through the
internet using your own internet connection.
By design, once the tunnel (your vpn connection that is) is established
your vpn client blocks all incoming or outgoing traffic on your computer
except the traffic going through the tunnel. This way your PC (and only
your PC no matter what else your PC is connected to locally) is made a
virtual extension to your customer's network.
Now consider free network access on your PC while the vpn connection is
open (which is called "split tunneling" because your network access is
split between the tunnel connection and local network access):
Suddenly all other PC's on your local network can access the customer's
network and - which is worse - your customer's network has a rogue
internet connection (thru your PC) bypassing that network's internet
access policy.
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
| Stephen J. Bevan 2005-10-27, 2:45 am |
| Ted Nevil <ted.nevil@gmail.com> writes:
> rashidaq@gmail.com wrote:
> Hi
>
> Right, you can't do anything.
> Split tunneling must be configured on the vpn concentrator (where you
> dial in).
>
> mostly this is disabled for security reason.
Whether the client can do anything depends on the VPN client not on
the VPN concentrator since it is the VPN client that ultimately
controls how traffic is routed on the client. Typically if the VPN
administrator does not want split tunnelling to be used then they
don't configure on the VPN concentrator and provide a VPN client
program that provides no way of turning it on.
However, if the authentication details can be extracted from the VPN
client then they can be used with a client that does support split
tunnelling even if the VPN concentrator is not configured to support
it.
Not surprisingly such VPN clients are not popular with VPN
administrators since it allows users to override the administrator's
policy. So, they can make life difficult by making the authentication
details hard to extract from the VPN client they provide and/or using
vendor specific/proprietary authentication mechanisms that other VPN
clients do not support and/or require that you sign something that
says you will only use approved software for VPN access.
| |
| Martin Bodenstedt 2005-10-27, 2:45 am |
| Stephen J. Bevan schrieb:
> Whether the client can do anything depends on the VPN client not on
> the VPN concentrator since it is the VPN client that ultimately
> controls how traffic is routed on the client.
Basically yes.
But depending on the software used the central network admin has the
control over the client's routing options...
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
| Stephen J. Bevan 2005-10-28, 5:29 pm |
| Martin Bodenstedt <martin.bodenstedt@gmx.de> writes:
> Stephen J. Bevan schrieb:
>
> Basically yes.
>
> But depending on the software used the central network admin has the
> control over the client's routing options...
Isn't that another way of saying what I wrote in the next sentence
after the one you quoted? That is :-
[vbcol=seagreen]
| |
| Graham Murray 2005-10-29, 5:46 pm |
| Martin Bodenstedt <martin.bodenstedt@gmx.de> writes:
> Suddenly all other PC's on your local network can access the
> customer's network and - which is worse - your customer's network has
> a rogue internet connection (thru your PC) bypassing that network's
> internet access policy.
How is that going to happen without some serious reconfiguration both
on your system and its local network? To take some (hypothetical)
numbers. Your PC has IP address 192.168.0.2 on the local network. When
you establish the VPN connection to the remote network this allocates
you IP address 10.0.0.3 on that network.
If your PC acted as a 'simple' router then any packets it received
with destination addresses in 10.0.0.0/8 it would send over the VPN
but with a source address in 192.168.0.0/24 which the remote network
would not like and will probably be rejected by the firewall in the
VPN endpoint. Add to that, the other systems (or at least the system
which is the default route) on the local LAN would have to be setup
with a static route for 10.0.0.0/8 via your PC.
For other systems to access the remote network via your PC, not only
would the static routes have to be set in the local network but your
PC would have to act as a NATting router and set the source address of
all packets to 10.0.0.3 before sending over the VPN.
For your PC to 'leak' the external internet to the remote VPN would
require even more complex configuration.
None of these things could happen accidentally. So if you are not
trusted enough to not deliberately subvert the remote system's
security then neither should you be trusted enough to have the VPN
connection to the remote network.
| |
| Stephen J. Bevan 2005-10-29, 5:46 pm |
| Graham Murray <newspost@gmurray.org.uk> writes:
> Martin Bodenstedt <martin.bodenstedt@gmx.de> writes:
>
>
> How is that going to happen without some serious reconfiguration both
> on your system and its local network?
If your PC supports any ability to remotely control it (e.g. telnet,
ssh, Back Orifice, trojan allowing remote access) from the internet
then a third party can in theory control your computer. Whether
theory meets practice depends on exactly what sort of remote control
software is on your PC, but even usually safe software like ssh has
had the occasional bug which could be exploited to allow remote
access.
So, assuming*** you are running vulnerable remote access software on
your computer and you have split-tunnelling enabled while connecting
to your company's internal site then your company's site is now
accessible to a third party in real-time. If split-tunneling is
disabled a third party cannot access your company's internal site in
real-time via your internet connection.
If real-time access is needed by the third party then the best they
could do would be to setup some software on your PC that would
automatically try to create an outbound connection over the VPN to
another machine they control and then connect back in over that.
Since that connection has to go via the company's firewall(s) then
they have the necessary opportunity to block this access e.g. using
intrusion prevention software.
------------------
*** Since the company network administrator has no simple way of
knowing whether your are running vulerable software or not the
only safe assumption is that you are.
| |
| Martin Bodenstedt 2005-10-31, 2:46 am |
| Graham Murray schrieb:
> Martin Bodenstedt <martin.bodenstedt@gmx.de> writes:
[vbcol=seagreen]
> How is that going to happen without some serious reconfiguration both
> on your system and its local network? To take some (hypothetical)
> numbers. Your PC has IP address 192.168.0.2 on the local network. When
> you establish the VPN connection to the remote network this allocates
> you IP address 10.0.0.3 on that network.
The point - from a network administrators point of view - is simply that
it *can* be done (either actively by a remote user in a "destructive"
mood or by some imported malware).
> None of these things could happen accidentally. So if you are not
> trusted enough to not deliberately subvert the remote system's
> security then neither should you be trusted enough to have the VPN
> connection to the remote network.
It depends on what you call "accidentally". The point simply is that the
remote computer connecting via VPN is *not* under the control of the
corporate network administrator.
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
| Martin Bodenstedt 2005-10-31, 7:52 am |
| Stephen J. Bevan schrieb:
> *** Since the company network administrator has no simple way of
> knowing whether your are running vulerable software or not the
> only safe assumption is that you are.
Thanx for so succinctly explaining the point I'm trying to get across
here ;-)
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
| |
| Martin Bodenstedt 2005-10-31, 7:52 am |
| Stephen J. Bevan schrieb:
> Martin Bodenstedt <martin.bodenstedt@gmx.de> writes:
[vbcol=seagreen]
> Isn't that another way of saying what I wrote in the next sentence
> after the one you quoted? That is :-
[vbcol=seagreen]
Yes :-)
--
Martin Bodenstedt
(www.die-bodenstedts.de / www.maboko.de)
|
|
|
|