RA VPN - Client Firewall and Split-Tunnel

Could someone explain in their own words the split-tunnel and client firewall being used in tandem? I'm referencing the Cisco ASA All-in-One guide and it shows a split tunnel as being a standard ACL to push access routes to the client. It then describes Central Protection Policy as a way to push firewall policies in the form of extended ACLs.

 

I was wondering why you would need CPP when you could just send the split-tunnel ACLs with L4 information or do split-tunnel ACLs have to be standard? Also, I'm not quite understanding the the direction for filtering traffic with CPP, are you trying to filter traffic from the outside network to the inside corporate through the client or are you trying to filter traffic from the client to particular devices in the coporate network?

Comments

  • So with split-tunneling, the VPN client sends some traffic through the tunnel to access corporate resources, and rest of the traffic like accessing the Internet bypasses the tunnel. This means that the VPN client can be accessed from the Internet by a bad guy and use the client machine as a proxy to access the corporate resources.

    To try and protect from such scenario, you use CPP and enforce the connecting client to have the Windows firewall activated and also push some rules to it, these rules being configured as an ACL on the ASA.

    This is the big picture, does it make sense?

    Cristian.

    Sent From my iPhone

    On Sep 12, 2013, at 21:04, DJS <[email protected]> wrote:

    Could someone explain in their own words the split-tunnel and client firewall being used in tandem? I'm referencing the Cisco ASA All-in-One guide and it shows a split tunnel as being a standard ACL to push access routes to the client. It then describes Central Protection Policy as a way to push firewall policies in the form of extended ACLs.

     

    I was wondering why you would need CPP when you could just send the split-tunnel ACLs with L4 information or do split-tunnel ACLs have to be standard? Also, I'm not quite understanding the the direction for filtering traffic with CPP, are you trying to filter traffic from the outside network to the inside corporate through the client or are you trying to filter traffic from the client to particular devices in the coporate network?




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • I think I'm confusing the default behavior of the ASA to not allow connections from the outside internet through the client to the corporate network and information sourced from the client AFTER someone takes control of it. If the traffic is sourced from the host machine, what is actually stopping the traffic other than the split-tunnel ACL and how does it know it's a legitimate user?

     

    Could you give a good example of a configuration? What I can imagine is below:

    access-list SPLIT_TUNNEL_ACL standard permit 192.168.10.0 255.255.255.0
    group-policy RA_GROUP_POLICY attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value SPLIT_TUNNEL_ACL

    This configuration only allows 192.168.10.0/24 back to the corporate network so if someone takes control of the client machine they would only have that subnet access.
    If you were to push an ACL for the client firewall that's more specific, wouldn't I just create the split-tunnel ACL the same way and not have to use the client firewall?
Sign In or Register to comment.