Chances are you're in the process of rolling out a new VPN client server setup,
or you're already managing one. Windows 2000 VPNs are fun to design and
configure because there are so many options available. Spoke and Hub or Mesh?
PPTP or L2TP/IPSec? VPN Server or VPN Gateway? Policy via user account or RAS
Policy? What's really great is configuring VPN client/ server setups are easy,
in spite of the fact you have so many options.
I was talking to a friend
yesterday about a VPN he was setting up. He was very excited about the whole
thing and spent over an hour telling me each and every detail of his design.
During a breathless moment at the end of his story, I asked him if he planned to
disable split tunneling for his VPN clients. He gave me a cross-eyed look and
finally asked "what's split tunneling?"
What are you supposed to do when
you haven't heard of something? Hit the TechNet CD! So we went to a computer
with a TechNet CD on it and searched for "split tunneling". No results. Then we
tried "split tunnel". Still nothing. Then we tried "'split' near ‘tunnel'".
Still nothing. No wonder my friend had never heard of split tunneling. Clearly
no one at Microsoft had heard of it either!
You can run into some real
security problems with VPNs that allow split tunneling. The problem centers
around VPN client configuration. The default Microsoft VPN client configuration
is secure. That's because the default Microsoft VPN client configuration does
NOT allow split tunneling. You only run into problems when you change the
default setting. Sometimes you need to make this change, and sometimes the
change is made to subvert network security.
Now what is this mysterious
setting I'm talking about? It's the "Use default gateway on remote network"
Option on the VPN client. This option appears in various places, depending on
the version of Microsoft VPN client you're using. On a Windows XP Pro Computer,
you'll find it this way:
1) Right click the My Network Places icon on
the desktop and click Properties.
2) Right click on your VPN client
connections in the Network Connections window and click Properties.
3)
Click the Networking tab, and then click on the Internet Protocol (TCP/IP) entry
and click the Properties button.
4) On the General tab of the Internet
Protocol (TCP/IP) Properties dialog box, click the Advanced button.
5)
On the General tab of the Advanced TCP/IP Settings dialog box, note the "Use
Default Gateway on Remote Network" option.
This is a significant
setting. It makes the difference between a secure VPN client connection, and VPN
clients that are hacker, virus, and worm gateways.
VPN Client
Default Route
The "Use Default Gateway on the Remote Network" option
is enabled by default. When the VPN client connects to the VPN server, a new
default route is created on the VPN client and it appears in the VPN client's
routing table. You can view this new route by opening a command prompt and
typing the "route print" command. The new default route replaces the old default
gateway that was set on the VPN client when the initial dial-up connection was
established (assuming the VPN client connected to the ISP via a modem). The
default gateway is set as the ISP's router when a dial-up connection is used.
This allows the dial-up clients to access the Internet.
A VPN client
with the "Use Default Gateway on Remote Network" setting enabled cannot access
the Internet because the VPN client now uses the VPN interface to route packets
to remote (non-local) networks after the new default route is added. Since all
networks except for those on the network ID assigned by the ISP to the modem
interface are non-local, all packets are forwarded to the VPN server through the
client's VPN interface.
This is exactly what you want. You do not want
VPN clients accessing your private network *and* the Internet at the same time.
Allowing a VPN client to directly access the Internet and your internal network
at the same time is like spraying nerve gas on your network security
infrastructure. The reason for this is that the VPN client can become a gateway
between the Internet and your private network.
You have a split tunnel
configuration when you allow clients to connect to the VPN and the Internet at
the same time. Split tunneling is enabled when the "Use Default Gateway on
Remote Network" option is *disabled* for the VPN interface. Now you understand
why split tunneling can be so toxic to network security.
While this is
the best configuration for you and your network's security, it can lead to many
Help Desk calls. VPN users may complain that they can't surf to porno sites,
connect to AOL "cyber" rooms, use Kazaa, Morpheus,...
You must be logged in to view this entire article. Click Here to Finish Reading this Article
Earn an affordable, online bachelor's degree in Information Technology—Security Emphasis
plus nine IT certifications including Sun Certified Programmer for the Java Platform, MySQL Core, and Security+. Your prior college and IT certifications may waive some degree requirements FREE subscription to Network World.
Your complimentary subscription will include 50 weekly issues jam packed with news analysis, expert industry opinion and management/career advice, all of which is packaged with your business needs in mind. We want to help you connect the technology dots and help you advance your company's business goals
Email this Article
Print this Article
