Re: E-mail routing over VPN

In article <draf0l$mm7$1@xxxxxxxxxxxxxx>, martin.bodenstedt@xxxxxx
says...
Chris Barnabo schrieb:
In article <dqlc01$8is$2@xxxxxxxxxxxxxx>, martin.bodenstedt@xxxxxx
says...
What kind of vpn software do You use that allows split tunneling in the
first place?


Hello Martin,

I'm using SafeNet's SoftRemote VPN product. It allows you to specify
which range of IP addresses should be directed down the VPN path,
everything else goes down the direct pipe to the internet provider.

How in this case do You prevent malicious software downloaded from the
internet frim infecting the corporate network through the VPN?

Bear in mind that I'm a VPN user, not a network engineer ... :-)

I can't speak for SafeNet's capabilities in this regard, but the other
products I've used that provide for split tunneling are supposed to
block any routing of traffic from the internet pipe to the VPN pipe (and
vice-versa). Of course, that only works presuming that the person at
the keyboard isn't trying to actively subvert it, but then if they were
planning to do that you're already exposed by virtue of them having
access to the network at all.

The VPN network would also be exposed to the posibility of malware
infection through the connected machine - someone could pick up bad code
down the internet path that turns around and tries to connect down the
VPN path. But that risk could also exist if the user were solely
connected to the VPN - e.g. the user could surf to a site which installs
malicious code by going through the VPN and out through that network's
proxy servers, etc. A clear case where defense in depth is needed -
reliable code on the user workstation to prevent infections, AND
reliable mechanisms within the VPN network to defend against problems.
Too many folks think that the firewall is going to protect their
internal network, only to have it compromised when they plug an infected
machine into it from the inside.

-- Chris
________*________ Chris Barnabo, chris@xxxxxxxxxxx
____________ \_______________/ http://www.spagnet.com
\__________/ / /
__\ \_______/ /__ "The heck with the Prime Directive,
\_______________/(- let's destroy something!"
.

Relevant Pages

  • Re: cups relaying remote broadcasts to a local subnet (SOLVED)
    ... This sounds like an application that could use a vpn (virtual private ... network) over the internet. ... port 9100 it only has to be set up on the gateway machine. ...
    (Fedora)
  • Re: Using a Linksys router, should I also use Zonealarm?
    ... public internet to access corporate network. ... In the "old days" when people used to use Dial-In instead of VPN you ware ... protected by corporate Firewall -- since there was no public Internet ...
    (microsoft.public.security)
  • Re: cups relaying remote broadcasts to a local subnet
    ... This sounds like an application that could use a vpn (virtual private ... network) over the internet. ... The 10.x.x.x series of IP addresses is set aside as private address space. ...
    (Fedora)
  • Re: Http access across a site 2 site VPN
    ... Troubleshooting Client Authentication on Access Rules in ISA Server 2004 ... Microsoft Internet Security & Acceleration Server: ... access rule that represents access to the vpn between the sites. ... corresponding network rules and access rules, and I went ahead and created ...
    (microsoft.public.isa)
  • Re: Remote Access and Setting up a VPN....need some expert advice....
    ... Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net ... Assuming you need to access the server shared folder only, it is better to use VPN. ... Since you have two NICs in the server, you can setup VPN follow this step by step how to. ... > internal network and has an address of 10.0.0.254. ...
    (microsoft.public.windows.server.sbs)