PDA

View Full Version : Slimserver and VPN



Eric Gauthier
2004-08-12, 04:15
Yes, the VPN software will typically take over as the default route in the
routing tables. This has the down side of forcing all Internet traffic
through the VPN, even if it isn't destined for inside the company firewall
(e.g. local traffic). If you have a fast pipe to your house, it doesn't
matter, since everything must go in through the VPN and out through the
corporate firewall. As was mentioned it is setup this way to prevent a pass
through attack from a PC that might also be acting as a router. I am not a
security expert, so I don't know if this is just an easy way out for the IT
community or not.

My company has an option to allow for what they call "split VPN" which will
let me access my 192.168.*** domains just fine when the VPN is working.

My old company didn't allow this, so I manually changed the IP routing
tables from a .BAT file like this (with correct address of course).

echo "Deleting routes with gateway" %1
route add 10.0.0.0 mask 255.0.0.0 10.159.%1
route delete 0.0.0.0 10.159.%1
route delete 192.168.0.0 10.159.%1
route print


I called this routefix. So then after I started the VPN software, a command
like "routefix 139.54" would fix the routing tables.

Unfortunately, most newer VPN clients will not allow you to change the
routing tables underneath them.

Regards,
-Eric


-----Original Message-----
From: discuss-bounces (AT) lists (DOT) slimdevices.com
[mailto:discuss-bounces (AT) lists (DOT) slimdevices.com] On Behalf Of James Craig
Sent: Thursday, August 05, 2004 9:45 AM
To: Slim Devices Discussion
Subject: [slim] Slimserver and VPN


Just as a follow up here, it was confirmed that our VPN software creates its
own firewall so that the local network is deliberately unavailable.

"It's a standard security feature with IPSec tunnelling to prevent
pass-through attacks."


On the bright side there are plans to move to a thin client setup that
probably won't be as restrictive in the future.
Probably causing a lot of problems now that so many people have multiple
machines, wireless networks etc at home...

thanks everyone

James

Steve Baumgarten wrote:


The VPN client adjusts the routing table when it starts and this can be

why certain addresses become unreachable.



In these cases I presume you could "fix" it by adjusting the routing

table after the client starts, but I don't know if the clients keeps

checking and enforcing policies.





Some newer VPN clients do exactly this. The VPN client will check the

routing table when it starts up and then every so often while running. If

it sees any changes (non-VPN related, of course), the client will shut

down. Nortel even has a product called "Tunnel Guard" that allows an

administrator to provide a check list of software that needs to be running

on your PC (e.g., a firewall, antivirus software, etc.); some required

software is missing or disabled, the VPN client shuts down.



Working around VPN restrictions has become decidedly non-trivial, to say

the least.



SBB