Best Technology Articles

IT Tips, Networking Articles, Networking Tutorials, Programming Tutorials, ASP Tutorials, PhP Tutorials, ADS Installation, Network Setup, Networking Tips and Tricks, Hacking Articles, Software Tips, Macintosh Articles, Macintosh Tips, Technology Tips, Mobile Softwares, Mobiles Rates in Pakistan

Chances are you're in the process of rolling out a new VPN client server setup, or you're already managing one. Windows 2000 VPNs are fun to design and configure because there are so many options available. Spoke and Hub or Mesh? PPTP or L2TP/IPSec? VPN Server or VPN Gateway? Policy via user account or RAS Policy? What's really great is configuring VPN client/ server setups are easy, in spite of the fact you have so many options.

I was talking to a friend yesterday about a VPN he was setting up. He was very excited about the whole thing and spent over an hour telling me each and every detail of his design. During a breathless moment at the end of his story, I asked him if he planned to disable split tunneling for his VPN clients. He gave me a cross-eyed look and finally asked "what's split tunneling?"

What are you supposed to do when you haven't heard of something? Hit the TechNet CD! So we went to a computer with a TechNet CD on it and searched for "split tunneling". No results. Then we tried "split tunnel". Still nothing. Then we tried "'split' near ‘tunnel'". Still nothing. No wonder my friend had never heard of split tunneling. Clearly no one at Microsoft had heard of it either!

You can run into some real security problems with VPNs that allow split tunneling. The problem centers around VPN client configuration. The default Microsoft VPN client configuration is secure. That's because the default Microsoft VPN client configuration does NOT allow split tunneling. You only run into problems when you change the default setting. Sometimes you need to make this change, and sometimes the change is made to subvert network security.

Now what is this mysterious setting I'm talking about? It's the "Use default gateway on remote network" Option on the VPN client. This option appears in various places, depending on the version of Microsoft VPN client you're using. On a Windows XP Pro Computer, you'll find it this way:

1) Right click the My Network Places icon on the desktop and click Properties.

2) Right click on your VPN client connections in the Network Connections window and click Properties.

3) Click the Networking tab, and then click on the Internet Protocol (TCP/IP) entry and click the Properties button.

4) On the General tab of the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.

5) On the General tab of the Advanced TCP/IP Settings dialog box, note the "Use Default Gateway on Remote Network" option.

This is a significant setting. It makes the difference between a secure VPN client connection, and VPN clients that are hacker, virus, and worm gateways.


VPN Client Default Route

The "Use Default Gateway on the Remote Network" option is enabled by default. When the VPN client connects to the VPN server, a new default route is created on the VPN client and it appears in the VPN client's routing table. You can view this new route by opening a command prompt and typing the "route print" command. The new default route replaces the old default gateway that was set on the VPN client when the initial dial-up connection was established (assuming the VPN client connected to the ISP via a modem). The default gateway is set as the ISP's router when a dial-up connection is used. This allows the dial-up clients to access the Internet.

A VPN client with the "Use Default Gateway on Remote Network" setting enabled cannot access the Internet because the VPN client now uses the VPN interface to route packets to remote (non-local) networks after the new default route is added. Since all networks except for those on the network ID assigned by the ISP to the modem interface are non-local, all packets are forwarded to the VPN server through the client's VPN interface.

This is exactly what you want. You do not want VPN clients accessing your private network *and* the Internet at the same time. Allowing a VPN client to directly access the Internet and your internal network at the same time is like spraying nerve gas on your network security infrastructure. The reason for this is that the VPN client can become a gateway between the Internet and your private network.

You have a split tunnel configuration when you allow clients to connect to the VPN and the Internet at the same time. Split tunneling is enabled when the "Use Default Gateway on Remote Network" option is *disabled* for the VPN interface. Now you understand why split tunneling can be so toxic to network security.

4 comments:

I enjoyed reading this topic. Thank you
http://www.mexvpn.com

I enjoyed reading this topic. Thank you
http://www.mexvpn.com

Greetings! This is my first comment here so I just wanted to give a quick shout out and tell you I truly enjoy reading through your articles. Can you suggest any other blogs/websites/forums that deal with the same topics? Thanks a ton! My blog post -
vpn service
dedicated vpn

Thanks for sharing this information. I really like your blog post very much. You have really shared a informative and interesting blog post with people..
provider