Ask the Expert

Prohibiting split tunnelling

My company has installed a Check Point FW-1 on a Nokia box to allow employees access to the corporate network using a virtual private network. Although users have been provided with certificate authentication and Secure Remote Client software, my division is installing a second FW-1 on an NT box to secure our network from the corporate network even further.

We are concerned about split tunnelling. Since some users will not likely use due diligence to ensure they are not surfing the Web while accessing the corporate LAN, I would like to know if there is a way to recognise that a client has opened themselves up and -- even more importantly -- can the connection automatically be dropped somehow?


    Requires Free Membership to View

If you are using the VPN-1 SecureClient Policy Server, you can do this. According to the documentation found at http://www.checkpoint.com/products/secureclienttour/managers_perspective.htm l, what you need to do is establish a policy of "Allow Encrypted Only" for your desktop security. When a client connects to your corporate network, the FW-1/VPN-1 will verify that the client has the correct configuration, which in this case means "Allow Encrypted Only" or more simply, no split tunnelling. If the client is not in that configuration, the VPN tunnel is not established.

What I cannot answer for certain, is what would happen if a client establishes a tunnel and then attempts to change the configuration. My guess is that to do so, they would have to end their current connection. Thus when they re-connected, the same check would occur and the tunnel would fail. However, I do not have the needed hardware or software on hand to test if that is indeed true or not.


This was first published in August 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: