Travelling laptops over VPN

[Jerry]

I've run into a problem configuring laptops for my company. We're in the
process of upgrading to Windows XP SP2, and one feature I would like to add
for travelling users is the ability to connect to an internet connection,
say at a hotel, which may not be firewalled, and be able to safely use that
connection for both internet browsing and connecting to our Cisco VPN.
Additionally, I'd prefer it if, when the user is back in the office, and
connects the laptop directly to the LAN, the laptop can still be managed
remotely.
I'm having problems getting firewall protection in all cases. I
configured Group Policy for the laptops so that when the laptop is connected
to the domain, then the Windows XP firewall is off, and when it's connected
to a different network (like at a hotel), the firewall is on. That appears
to work fine. However, when the user connects to the VPN using the Cisco
VPN client, the firewall shuts off because it sees the domain. Then, the
laptop is not protected while on the VPN.
I could configure the firewall to be on all the time, but doesn't that
make management difficult? I don't want to setup firewall exceptions for
managing the laptop while it's on the domain, because those same exceptions
will apply while the laptop is connected to the VPN. I'm not completely
sure what the risks are.
I've been using Nmap to test the firewall with TCP, UDP, and TCP SYN
stealth port scans. But, to be honest, I'm not even sure if that's the best
way to test. However, I do get scan results that are consistent with the
firewall being on or off.
I've entered a cornucopia of frustration, and am looking for pointers,
suggestions, or facts backed by people with experience in this type of
setup. Any help would be greatly appreciated.

Thank you,
Jerry

 

[Phillip Windell]

to a different network (like at a hotel), the firewall is on. That appears
to work fine. However, when the user connects to the VPN using the Cisco
VPN client, the firewall shuts off because it sees the domain. Then, the
laptop is not protected while on the VPN.

Yes, it is protected while on the VPN. When on the VPN it is on the LAN, not
the Internet. To get to and from the Internet it must go through the LAN, so
it is the same as if it was physically on the LAN. The laptop cannot get
to/from the Internet directly while the VPN is active. So,...you are worried
for nothing.

One exception would be if the user is using "split-tunneling" with the VPN.
This is done by disabling the "Use Gateway on Remote Network" which is found
on the user's machine within the properties of the VPN Dialup Connectiod. By
default this is not the case,...this is something you would have had to do
on purpose.

Another thing to keep in mind is the false sense of security you may be
feeling from the firewall. Typically the firewall has no effect on viruses,
worms, trojans, spyware/adware and those are actually the worst threats you
face. The primary defence from those is not the firewall but is the AV
software and the level of the Security settings in the User's browser. So
you may be all worried about something that isn't even protecting you from
what you fear in the first place.

The primary role of the firewall is to prevent other users from connecting
to running services on your machine,...primarily that would be File & Print
Sharing, but there are others.

 

[Sooner Al]

Phillip,

That brings up a question that I have...

">One exception would be if the user is using "split-tunneling" with the VPN.

This is done by disabling the "Use Gateway on Remote Network" which is found
on the user's machine within the properties of the VPN Dialup Connectiod. By
default this is not the case,...this is something you would have had to do
on purpose."

Does anyone know of a way to disable that via a Group Policy or registry setting? In many cases
network administrators would want to do that to prevent the users from enabling split-tunneling...
This split-tunneling issue comes up every so often on these forums, primarily from users wanting to
find out how to enable it..

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

to a different network (like at a hotel), the firewall is on. That appears
to work fine. However, when the user connects to the VPN using the Cisco
VPN client, the firewall shuts off because it sees the domain. Then, the
laptop is not protected while on the VPN.

Yes, it is protected while on the VPN. When on the VPN it is on the LAN, not
the Internet. To get to and from the Internet it must go through the LAN, so
it is the same as if it was physically on the LAN. The laptop cannot get
to/from the Internet directly while the VPN is active. So,...you are worried
for nothing.

One exception would be if the user is using "split-tunneling" with the VPN.
This is done by disabling the "Use Gateway on Remote Network" which is found
on the user's machine within the properties of the VPN Dialup Connectiod. By
default this is not the case,...this is something you would have had to do
on purpose.

Another thing to keep in mind is the false sense of security you may be
feeling from the firewall. Typically the firewall has no effect on viruses,
worms, trojans, spyware/adware and those are actually the worst threats you
face. The primary defence from those is not the firewall but is the AV
software and the level of the Security settings in the User's browser. So
you may be all worried about something that isn't even protecting you from
what you fear in the first place.

The primary role of the firewall is to prevent other users from connecting
to running services on your machine,...primarily that would be File & Print
Sharing, but there are others.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I could configure the firewall to be on all the time, but doesn't that
make management difficult? I don't want to setup firewall exceptions for
managing the laptop while it's on the domain, because those same exceptions
will apply while the laptop is connected to the VPN. I'm not completely
sure what the risks are.
I've been using Nmap to test the firewall with TCP, UDP, and TCP SYN
stealth port scans. But, to be honest, I'm not even sure if that's the best
way to test. However, I do get scan results that are consistent with the
firewall being on or off.
I've entered a cornucopia of frustration, and am looking for pointers,
suggestions, or facts backed by people with experience in this type of
setup. Any help would be greatly appreciated.

Thank you,
Jerry

 

[Bill Sanderson]

FWIW--and I haven't done this myself--my understanding is that the way to do
this is to use the CMAK and distribute the connections to the users after
customizing them via CMAK.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndeplr.mspx

I'm unclear whether Server 2003 is required to do this. I think not--but
again, I haven't done it!

Phillip,

That brings up a question that I have...

">One exception would be if the user is using "split-tunneling" with the
VPN.

This is done by disabling the "Use Gateway on Remote Network" which is
found
on the user's machine within the properties of the VPN Dialup Connectiod.
By
default this is not the case,...this is something you would have had to
do
on purpose."

Does anyone know of a way to disable that via a Group Policy or registry
setting? In many cases network administrators would want to do that to
prevent the users from enabling split-tunneling... This split-tunneling
issue comes up every so often on these forums, primarily from users
wanting to find out how to enable it..

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual
benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

to a different network (like at a hotel), the firewall is on. That appears
to work fine. However, when the user connects to the VPN using the
Cisco
VPN client, the firewall shuts off because it sees the domain. Then,
the
laptop is not protected while on the VPN.

Yes, it is protected while on the VPN. When on the VPN it is on the LAN,
not
the Internet. To get to and from the Internet it must go through the LAN,
so
it is the same as if it was physically on the LAN. The laptop cannot get
to/from the Internet directly while the VPN is active. So,...you are
worried
for nothing.

One exception would be if the user is using "split-tunneling" with the
VPN.
This is done by disabling the "Use Gateway on Remote Network" which is
found
on the user's machine within the properties of the VPN Dialup Connectiod.
By
default this is not the case,...this is something you would have had to
do
on purpose.

Another thing to keep in mind is the false sense of security you may be
feeling from the firewall. Typically the firewall has no effect on
viruses,
worms, trojans, spyware/adware and those are actually the worst threats
you
face. The primary defence from those is not the firewall but is the AV
software and the level of the Security settings in the User's browser. So
you may be all worried about something that isn't even protecting you
from
what you fear in the first place.

The primary role of the firewall is to prevent other users from
connecting
to running services on your machine,...primarily that would be File &
Print
Sharing, but there are others.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I could configure the firewall to be on all the time, but doesn't that
make management difficult? I don't want to setup firewall exceptions
for
managing the laptop while it's on the domain, because those same exceptions
will apply while the laptop is connected to the VPN. I'm not completely
sure what the risks are.
I've been using Nmap to test the firewall with TCP, UDP, and TCP SYN
stealth port scans. But, to be honest, I'm not even sure if that's the best
way to test. However, I do get scan results that are consistent with
the
firewall being on or off.
I've entered a cornucopia of frustration, and am looking for pointers,
suggestions, or facts backed by people with experience in this type of
setup. Any help would be greatly appreciated.

Thank you,
Jerry

 

[Sooner Al]

I just looked back at this old Cable Guy article which has suggestions concerning the security
issues...

http://www.microsoft.com/technet/community/columns/cableguy/cg1003.mspx

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

FWIW--and I haven't done this myself--my understanding is that the way to do this is to use the
CMAK and distribute the connections to the users after customizing them via CMAK.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndeplr.mspx

I'm unclear whether Server 2003 is required to do this. I think not--but again, I haven't done
it!

Phillip,

That brings up a question that I have...

">One exception would be if the user is using "split-tunneling" with the VPN.

This is done by disabling the "Use Gateway on Remote Network" which is found
on the user's machine within the properties of the VPN Dialup Connectiod. By
default this is not the case,...this is something you would have had to do
on purpose."

Does anyone know of a way to disable that via a Group Policy or registry setting? In many cases
network administrators would want to do that to prevent the users from enabling
split-tunneling... This split-tunneling issue comes up every so often on these forums, primarily
from users wanting to find out how to enable it..

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...

to a different network (like at a hotel), the firewall is on. That
appears
to work fine. However, when the user connects to the VPN using the Cisco
VPN client, the firewall shuts off because it sees the domain. Then, the
laptop is not protected while on the VPN.

Yes, it is protected while on the VPN. When on the VPN it is on the LAN, not
the Internet. To get to and from the Internet it must go through the LAN, so
it is the same as if it was physically on the LAN. The laptop cannot get
to/from the Internet directly while the VPN is active. So,...you are worried
for nothing.

One exception would be if the user is using "split-tunneling" with the VPN.
This is done by disabling the "Use Gateway on Remote Network" which is found
on the user's machine within the properties of the VPN Dialup Connectiod. By
default this is not the case,...this is something you would have had to do
on purpose.

Another thing to keep in mind is the false sense of security you may be
feeling from the firewall. Typically the firewall has no effect on viruses,
worms, trojans, spyware/adware and those are actually the worst threats you
face. The primary defence from those is not the firewall but is the AV
software and the level of the Security settings in the User's browser. So
you may be all worried about something that isn't even protecting you from
what you fear in the first place.

The primary role of the firewall is to prevent other users from connecting
to running services on your machine,...primarily that would be File & Print
Sharing, but there are others.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I could configure the firewall to be on all the time, but doesn't that
make management difficult? I don't want to setup firewall exceptions for
managing the laptop while it's on the domain, because those same
exceptions
will apply while the laptop is connected to the VPN. I'm not completely
sure what the risks are.
I've been using Nmap to test the firewall with TCP, UDP, and TCP SYN
stealth port scans. But, to be honest, I'm not even sure if that's the
best
way to test. However, I do get scan results that are consistent with the
firewall being on or off.
I've entered a cornucopia of frustration, and am looking for pointers,
suggestions, or facts backed by people with experience in this type of
setup. Any help would be greatly appreciated.

Thank you,
Jerry

 

[Jerry]

Phillip,

Well, you brought up the exact situation I'm faced with: we are using
split-tunneling. I've been told by Cisco that without split-tunneling, a
client cannot browse the internet while connected to the VPN. This doesn't
seem correct to me, so I may have to ask another tech at Cisco.

I use the Cisco VPN client to connect to the VPN, not a Windows-defined
VPN Dialup connection. Any split-tunneling is controlled at the Cisco
firewall. Certainly, I can turn off the split-tunneling, but I don't want
to do it at the cost of losing internet connection while connected to the
VPN.

We do have a robust, multi-layered AV defense, so I'm not as worried about
that. But you're correct that I'm not sure how much of a threat I'm faced
with if I don't have a properly established firewall. Do you have other
suggestions for testing the effectiveness of a firewall, or do you think
that what I'm doing with Nmap might be sufficient?

Thanks for your time,
Jerry

to a different network (like at a hotel), the firewall is on. That appears
to work fine. However, when the user connects to the VPN using the Cisco
VPN client, the firewall shuts off because it sees the domain. Then, the
laptop is not protected while on the VPN.

Yes, it is protected while on the VPN. When on the VPN it is on the LAN, not
the Internet. To get to and from the Internet it must go through the LAN, so
it is the same as if it was physically on the LAN. The laptop cannot get
to/from the Internet directly while the VPN is active. So,...you are worried
for nothing.

One exception would be if the user is using "split-tunneling" with the VPN.
This is done by disabling the "Use Gateway on Remote Network" which is found
on the user's machine within the properties of the VPN Dialup Connectiod. By
default this is not the case,...this is something you would have had to do
on purpose.

Another thing to keep in mind is the false sense of security you may be
feeling from the firewall. Typically the firewall has no effect on viruses,
worms, trojans, spyware/adware and those are actually the worst threats you
face. The primary defence from those is not the firewall but is the AV
software and the level of the Security settings in the User's browser. So
you may be all worried about something that isn't even protecting you from
what you fear in the first place.

The primary role of the firewall is to prevent other users from connecting
to running services on your machine,...primarily that would be File & Print
Sharing, but there are others.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

I could configure the firewall to be on all the time, but doesn't that
make management difficult? I don't want to setup firewall exceptions for
managing the laptop while it's on the domain, because those same exceptions
will apply while the laptop is connected to the VPN. I'm not completely
sure what the risks are.
I've been using Nmap to test the firewall with TCP, UDP, and TCP SYN
stealth port scans. But, to be honest, I'm not even sure if that's the best
way to test. However, I do get scan results that are consistent with the
firewall being on or off.
I've entered a cornucopia of frustration, and am looking for pointers,
suggestions, or facts backed by people with experience in this type of
setup. Any help would be greatly appreciated.

Thank you,
Jerry

 

[Phillip Windell]

Well, you brought up the exact situation I'm faced with: we are using
split-tunneling. I've been told by Cisco that without split-tunneling, a
client cannot browse the internet while connected to the VPN. This doesn't
seem correct to me, so I may have to ask another tech at Cisco.

Don't bother. He is exactly correct. You must use Split Tunneling to be able
to use the VPN and use the Internet independently from each other.

We do have a robust, multi-layered AV defense, so I'm not as worried about
that. But you're correct that I'm not sure how much of a threat I'm faced
with if I don't have a properly established firewall. Do you have other
suggestions for testing the effectiveness of a firewall, or do you think
that what I'm doing with Nmap might be sufficient?

AV software and Browser Security set to the "highest" is the best defence.
As far as personal firewalls,...well I'm so excited about them that I don't
even run one... I follow the measures I already mentioned and I don't
have things running on any directly exposed machine that I don't want
soemone connecting to. I just simply keep my machines "clean",..I know what
I have running on them,..and why.

 

[Bill Sanderson]

Here's one discussion of some of the security issues around this setting,
and also some recommendations which primarily relate to the host end of the
VPN tunnel, unfortunately:

http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html

This link:
http://www.microsoft.com/resources/...2003/all/deployguide/en-us/dnsbf_vpn_yvjp.asp

has a brief discussion of security issues of split tunneling, and notes that
a packet filter restricting traffic over the VPN connection to packets
originating from the remote access clients (i.e. not from the client's
Internet connection)--is a default configuration in Windows Server 2003.

This link (a PDF, unfortunately) discusses, with references to Shinder, the
possibility of a session hijack when split tunneling is used.

http://www.teleworkconsortium.org/Theory_and_Practice/whitepapers/BroadbandSecurityPaperCSC.pdf

So--the two vulnerabilities introduced by split tunneling are 1) the
possibility of routing between the insecure Internet and the secure private
network via the split-tunneling client machine, and 2) the possibility of a
session hijack of the client machine, with consequent disclosure of private
corporate data.

As with other security issues, each admin needs to assess their own risk
tolerance level and make a decision about what policies are appropriate for
their environment.

(and you, and probably most reading this thread, are probably more aware of
these issues than I am--but I thought I'd try to dig out some clear
references to precisely what the risks are. I think I've got the technical
risks clearly laid out, but without much clear information about how to
quantify those risks, I'm afraid.)

 

[Jerry]

Bill,

Thanks for taking some time to research the security issues. This
information highlights what I am fearful of when it comes to traveling
clients. My reason for posting in the first place was basically to ask the
question, "We're not the only IT group in the world with travelling clients
that come back to connect to the local LAN, so how are other people handling
this?" I believe we do a good job of protecting and hardening our clients.
When it comes to a travelling laptop, though, it appears difficult to
protect the laptop "on the road" and not lose too much management
functionality "at home" without having to rely on the user to flip a switch
to turn on a firewall.
Like most IT staffs, we don't have enough people to effectively keep up.
Since we have sites all across the country, it's important that we have the
ability to remotely administer computers. However, I don't think it's safe
to have management exceptions (programs and ports) on the Windows XP
firewall when the computer is travelling. It appears the best way to handle
this is to keep an OU for systems you want to manage, then move the computer
into that OU when you need to manage it.
Of course, if I could get internet traffic to travel through the VPN
tunnel without split-tunneling, that would probably solve my problems.
However, Cisco tells me that's not possible. I'm not done looking down that
street yet.

Thanks again,
Jerry

 

[Guest]

Split-tunneling is a big no no from a security standpoint. Unless there is
something the cisco VPN is doing, you should be able to access the internet
while using the VPN by configuring your browser to use the VPN connection.
For IE go to TOOLS/INTERNET OPTIONS/CONNECTIONS. Add the VPN connection in
the Dail-up and VPN settings (if not already there) and then using the
settings button to input the proper information for your firewall. This will
allow the VPN connection back out through the firewall instead of creating a
split-tunnel situation which allows would be attackers to use your remote
station as a gateway to your internal network.

Dan Zimmerman, SSCP

 

[Steve Riley [MSFT]]

Amazing... Cisco actually recommends split-tunneling? And furthermore seems
to state that it's *required*? You mean their VPN client and server has no
configuration mechanism to set so that Internet surfing goes through the
VPN? Again, amazing...

At the risk of sounding like a brochure, you might consider replacing your
Cisco VPN server with a Windows Server 2003 computer running RRAS and ISA
Server 2004. This will permit you to run the native VPN client in your
laptops, removing a layer of third-party software that you now have to
manage. And when configured with the ISA Server firewall client, all
Internet surfing will go through the RRAS/ISA Server computer.

Steve Riley
(e-mail address removed)

 

[Jerry]

Steve,

I wouldn't say that they recommend it. In fact they did tell me that, for
security reasons, it's best to leave it off. However, with the design of
our network, it is required to get both a VPN and simultaneous internet
connection. Apparently, there are other products and designs that would fix
this, but when our PIX was bought, it wasn't bought for it's VPN
capabilities, and those capabilities weren't fully investigated.

We considered ISA server, but the costs stretched the budget. Not sure if
we might be able to do that or not.

I have one other option to try. Hopefully that will cure some ills for
me.

Thanks,
Jerry

 

[Phillip Windell]

We considered ISA server, but the costs stretched the budget. Not sure if
we might be able to do that or not.

Nothing changes. The standards of the technology,..are the standards of the
technology. It doesn't really have anything to do with one companies
implementation over another.