It was <2014-01-27 pon 14:46>, when Suresh Kumar N. wrote: > On Mon, Jan 27, 2014 at 10:42 AM, 김태섭 <[email protected]> wrote: >> >> Well let's discuss the multi-VPN. >> Multi-VPN = Split tunneling >> >> What is the Split tunneling(Multi-VPN)? >> Captive tunnel: Client’s “default route” points into tunnel to IPsec >> gateway; other routes not allowed >> Split tunnel: Client’s default route is into Internet; specific routes to >> trusted network are loaded into Client’s routing table by IPsec Gateway >> >> [image: cid:[email protected]] >> >> Why allow split tunneling(Multi-VPN)? >> >> 1) Avoid wasting bandwidth at VPN hub site >> - Internet traffic of clients would traverse the hub site >> - (Can be avoided by policy blocking Internet access during remote >> access, forcing client to logout of VPN) >> 2) Short DHCP/PPPOE leases may require frequent contact to server at >> client’s ISP >> - Can’t contact server if all routes point to VPN tunnel >> 3) Convenience of keeping VPN connection up during other Internet access > > Split tunneling surely has its set of Pros and Cons as stated below - > Pros - > 1. Bandwidth conservation at VPN server > 2. Profile based network access; applications configured for a profile > specifically access network ONLY through VPN Server whereas other > can access unsecured networks (or at times other Secured Networks, > in case a company maintains separate VPN Servers based on certain > conditions). > > Cons - > 1. Expose Internal Network and resources to external attacks/attackers > through VPN client - Can be avoided through Inverse Split tunneling (along > with Network Access Control - NAC) > 2. DNS Hijacking through by ISPs. > > We need to note that a malware downloaded to a client system during > internet access when VPN is disabled (or through unsecured sources) can > also result in a threat to Internal Network when VPN is connected. > > In a way Split Tunnel is a feature which can overturn Security aspect > provided by VPN, but at the same time cannot be overlooked as a > feature.
Considering pros and cons stated above I would humbly recommend enabling both scenarios. User (manager) should be able to define which VPNs (there can be more than one) can run in a "split" mode and which cannot. For example there can be a separate VPN for accessing (web?)mail system which can run in a split mode next to normal routing and another to access some more sensitive systems that cannot run if it is not the default route. Yet another feature is to give access to a VPN only to certain (signed) applications. Just my 0,02€ Humble regards, -- Łukasz Stelmach Samsung R&D Institute Poland Samsung Electronics
pgpr1XMpgf92L.pgp
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
