On Wed, 9 Oct 2002, Jim MacLeod wrote: > There's a lot of FUD being touted by firewall vendors about the possibility > of a home computer being hacked, then the attacker using that computer's > VPN connection to the office to break into the company network. If you disable split-tunnelling, this isn't much of an issue. There's a far greater fear of the user picking up a virus on the public Internet and then connecting to your company through VPN. The virus could work it's way into your internal network causing all sorts of grief. Without a split-tunnel, though, you create a major issue for people using local printers (on their home networks) and in branch offices; suddently they can't access anything local and are forced to used enterprise-wide services. There's also the issue of lag -- if the VPN server is in LA, and your users are in Boston, but there's a network connection back to the local corporate network in Boston, users who use services from your Boston-Based hosts are quite lagged when they go home and VPN-in for the night. (Installing a server in Boston fixes this, though!) Some or all of these issues may cause things to fail in your environment. > I can see this as a possibility and realize that we could easily get into > an extended discussion of the probability/impossibility/inevitability of it > occurring. I personally want to avoid speculation. > > Does anybody know of an actual incident where this attack was used, > successfully or not? With split-tunneling turned on, though, it's possible for someone to attack the employee's machine and use that machine as a stepping stone to greater access. In the wild, I have seen probes come from people's home Linux machines (while using a split-tunneled Cisco VPN client) when their home machine has been penetrated and the user has left the machine logged in. This mode of attack can happen and (although rare) I do feel that it's no longer a speculative issue. Why take the chance? Don't enable split-tunneling. -john _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 17:09:12 PDT