On Tue, 23 Nov 2004 15:31:14 -0600, Scott Johnson
<sjohnson@xxxxxxxxxxxxxxxxxxxx> wrote:
> I was NOT looking for a "you should not do that" type of answer. I already 
> know
> there are pluses and minuses to doing it.  

OK, let me get this straight.  You ask a question, and then get snippy
when some advice is offered instead of a specific answer to your
question?

Dude, you aren't paying us.  Get over it.

> Also, it looks like Cisco already
> handles the issues some people have.  From the Cisco VPN Client help: "The VPN
> Client includes an integrated stateful firewall that provides protection when
> split tunneling is in effect and protects the VPN Client PC from Internet
> attacks while the VPN Client is connected to a VPN Concentrator through an 
> IPSec
> tunnel. This integrated firewall includes a feature called Stateful Firewall
> (Always On)."

The fact that you CAN do it doesn't mean that you SHOULD do it.  There
is disagreement, even on this list; I don't think that you should.

>From the VPN Concentrator help screen
"Split tunneling is primarily a traffic management feature, not a
security feature. In fact, for optimum security, we recommend that you
not enable split tunneling."

That said . . . "split tunnelling" is the key term.  It is configured
in the GROUP settings, on the CLIENT CONFIG tab of the VPN
concentrator admin console, accessed by browsing to the concentrator
and logging on.  There is a bit more to split tunneling than just
turning it on; the online help from the VPN concentrator explains it
pretty well.  The settings can be made VERY specific, or there are
three "standard ones"
- tunnel everything, which is the standard
- tunnel everything except specific traffic - this allow local printing, etc.
- tunnel only specific traffic - this allows internet access at the client side

> I was looking to hear from people who have this type of set-up and can point 
> me
> to the proper docs.  Cicso has a lot of docs on their sight and I was hoping 
> for
> a pointer to one or two that would help me down the right path.

Satisfied?

-- 
Tom Jedrzejewicz
tomjedrz@xxxxxxxxx

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.