Prohibiting split tunnelling
My company has installed a Check Point FW-1 on a Nokia box to allow
employees access to the corporate network using a virtual private network. Although users have
been provided with certificate authentication and Secure Remote Client
software, my division is installing a second FW-1 on an NT box to secure our
network from the corporate network even further. We are concerned about
split tunnelling. Since some users will not likely use due diligence to
ensure they are not surfing the Web while accessing the corporate LAN, I
would like to know if there is a way to recognise that a client has opened
themselves up and -- even more importantly -- can the connection automatically be
If you are using the VPN-1 SecureClient Policy Server, you can do this.
to the documentation found at
what you need to do is establish a policy of "Allow Encrypted Only" for your
desktop security. When a client connects to your corporate network, the
will verify that the client has the correct configuration, which in this
"Allow Encrypted Only" or more simply, no split tunnelling. If the client is
not in that
configuration, the VPN tunnel is not established.
What I cannot answer for certain, is what would happen if a client
a tunnel and then attempts to change the configuration. My guess is that to
so, they would have to end their current connection. Thus when they
the same check would occur and the tunnel would fail. However, I do not have
needed hardware or software on hand to test if that is indeed true or not.
This was first published in August 2001