![]() |
![]() | ![]() | ![]() | ![]() | ![]() | ![]() | ![]() | ![]() | ![]() |
|
Welcome to Vista Forums we are your forum for Windows Vista help and discussion. Whether you need help or just want to post an idea you have on Vista, this is the forum for you.
br> br> |
| |||||||
|
| | Thread Tools | Display Modes |
| | #1 (permalink) |
| Guest | Vista Business, VPN, and Split Tunnels Hi all, in [Control Panel>Network Connections] in my VPN Connection's [Properties->Networking->IPv4 Properties->Advanced->IP Settings], I disabled the "Use Default Gateway on Remote Network". When starting the VPN connection, I can now browse the Internet over my 8MB Comcast Cable, and access the company [192.168.48.* MASK 255.255.255.0] subnet through my VPN. Fine. Because I also need a couple of other servers and applications in some Intranet places, I grab my VPN IP address from 'ipconfig', and then manually want to add some routes. First problem 'route delete 192.168.48.*' fails - so I use 'route delete 192.168.48.0'. great. Now: route add 192.168.48.0 mask 255.255.255.0 <VPNIPAddress> route add 192.168.47.0 mask 255.255.255.0 <VPNIPAddress> route add 172.16.0.0 mask 255.255.0.0 <VPNIPAddress> route add 192.168.9.0 mask 255.255.255.0 <VPNIPAddress> route add 192.168.80.0 mask 255.255.255.0 <VPNIPAddress> ok, I hope I got everything now... My more important question: did I compromise the security of the company Intranet by using a VPN split tunnel - can someone from outside now access the Intranet (without ICS enabled!)? Cheers, Thorsten |
My System Specs![]() |
| | #2 (permalink) |
| Guest | RE: Vista Business, VPN, and Split Tunnels Yes, any time you use a split tunnel you compromise the security of the company. You just turned that computer into a router between the Internet and the internal network at the company. It is a rather big security risk. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "thinkstorm" wrote: > Hi all, > in [Control Panel>Network Connections] in my VPN Connection's > [Properties->Networking->IPv4 Properties->Advanced->IP Settings], I > disabled the "Use Default Gateway on Remote Network". When starting > the VPN connection, I can now browse the Internet over my 8MB Comcast > Cable, and access the company [192.168.48.* MASK 255.255.255.0] subnet > through my VPN. Fine. > > Because I also need a couple of other servers and applications in some > Intranet places, I grab my VPN IP address from 'ipconfig', and then > manually want to add some routes. > > First problem 'route delete 192.168.48.*' fails - so I use 'route > delete 192.168.48.0'. great. Now: > > route add 192.168.48.0 mask 255.255.255.0 <VPNIPAddress> > route add 192.168.47.0 mask 255.255.255.0 <VPNIPAddress> > route add 172.16.0.0 mask 255.255.0.0 <VPNIPAddress> > route add 192.168.9.0 mask 255.255.255.0 <VPNIPAddress> > route add 192.168.80.0 mask 255.255.255.0 <VPNIPAddress> > > ok, I hope I got everything now... My more important question: did I > compromise the security of the company Intranet by using a VPN split > tunnel - can someone from outside now access the Intranet (without ICS > enabled!)? > > Cheers, > Thorsten > > |
My System Specs![]() |
| | #3 (permalink) |
| Guest | Re: Vista Business, VPN, and Split Tunnels On Aug 9, 11:14 am, Jesper <Jes...@discussions.microsoft.com> wrote: > Yes, any time you use a split tunnel you compromise the security of the > company. You just turned that computer into a router between the Internet and > the internal network at the company. It is a rather big security risk. > I don't know if I agree on the "router" term - is it actually possible to "route" IP packets from external sources, through my firewall, through NAT, to an IP address within the VPN? How's the routing between interfaces affected, if I don't allow ICS? Thorsten |
My System Specs![]() |
| | #4 (permalink) |
| Guest | Re: Vista Business, VPN, and Split Tunnels Yes, it is possible. If you receive packets with an internal source address on the external interface it will send the response to the internal address. There are obviously some restrictions with this, but it is perfectly sufficient to propagate some attacks to the inside, for instance. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "thinkstorm" wrote: > On Aug 9, 11:14 am, Jesper <Jes...@discussions.microsoft.com> wrote: > > Yes, any time you use a split tunnel you compromise the security of the > > company. You just turned that computer into a router between the Internet and > > the internal network at the company. It is a rather big security risk. > > > > I don't know if I agree on the "router" term - is it actually possible > to "route" IP packets from external sources, through my firewall, > through NAT, to an IP address within the VPN? How's the routing > between interfaces affected, if I don't allow ICS? > > Thorsten > > |
My System Specs![]() |
| | #5 (permalink) |
| Guest | Re: Vista Business, VPN, and Split Tunnels On Aug 9, 11:56 am, Jesper <Jes...@discussions.microsoft.com> wrote: > Yes, it is possible. If you receive packets with an internal source address > on the external interface it will send the response to the internal address. > There are obviously some restrictions with this, but it is perfectly > sufficient to propagate some attacks to the inside, for instance. Neat idea Yes, I see how that could work... So the question is:is my firewall better than the company's firewall (because I can access the Internet through the VPN connection, only that I then would exit through the T1 that is shared with my 50 co-workers...) ![]() Thanks Jesper, I will look for someone to do a little audit about that issue... Cheers, Thorsten |
My System Specs![]() |
| | #6 (permalink) |
| Guest | Re: Vista Business, VPN, and Split Tunnels (...didn't see this other thread about the same issue, but I'll reply here as well...) Prior versions of Windows implemented the "weak end-system" (as opposed to the "weekend system," haha) model in the IP stack. Windows Vista implements the "strong end-system" model, which makes the kind of attack Jesper describes less likely. Here's a description of the differences, quoted from http://www.microsoft.com/technet/com...uy/cg0905.mspx (there, the Cable Guy uses the term "host model" rather than "end-system model): When a unicast packet arrives at a host, IP must determine whether the packet is locally destined (its destination matches an address that is assigned to an interface of the host). IP implementations that follow a weak host model accept any locally destined packet, regardless of the interface on which the packet was received. IP implementations that follow the strong host model only accept locally destined packets if the destination address in the packet matches an address assigned to the interface on which the packet was received. The current IPv4 implementation in Windows XP and Windows Server 2003 uses the weak host model. The Next Generation TCP/IP stack supports the strong host model for both IPv4 and IPv6 and is configured to use it by default. You can configure the Next Generation TCP/IP stack to use a weak host model. The weak host model provides better network connectivity. However, it also makes hosts susceptible to multihome-based network attacks. Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley "thinkstorm" <thorsten.claus@gmail.com> wrote in message news:1186683655.796898.222350@b79g2000hse.googlegroups.com... > On Aug 9, 11:56 am, Jesper <Jes...@discussions.microsoft.com> wrote: >> Yes, it is possible. If you receive packets with an internal source >> address >> on the external interface it will send the response to the internal >> address. >> There are obviously some restrictions with this, but it is perfectly >> sufficient to propagate some attacks to the inside, for instance. > > Neat idea Yes, I see how that could work... So the question is:> is my firewall better than the company's firewall (because I can > access the Internet through the VPN connection, only that I then would > exit through the T1 that is shared with my 50 co-workers...) ![]() > > Thanks Jesper, I will look for someone to do a little audit about that > issue... > > Cheers, > Thorsten > > |
My System Specs![]() |
|
| Thread Tools | |
| Display Modes | |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| NetBIOS over IP Tunnels | youssefaoun | Network & Internet | 7 | 05-30-2008 12:49 AM |
| Viewing split movies in Vista | bonzodog | Vista General | 1 | 01-08-2008 05:13 AM |
| Split C: drive with Vista pre-installed | bondtang | Vista installation & setup | 3 | 11-13-2007 12:12 AM |
| Vista Business, VPN, and Split Tunnels | thinkstorm | Vista General | 5 | 08-15-2007 08:37 AM |
| Vista Update Causing Split-Screen Problem | David H | Vista hardware & devices | 1 | 06-06-2007 09:01 AM |
| Complimentary Industry Resources Vista Forums has joined forces with TradePub.com to offer you a new, exciting, and entirely free professional resource. Visit http://vistax64.tradepub.com today to browse our selection of complimentary Industry magazines, white papers, webinars, podcasts, and more across 34 industry sectors. No credit cards, coupons, or promo codes required. Try it today! |