Problem solve Get help with specific problems with your technologies, process and projects.

Prohibiting split tunnelling

My company has installed a Check Point FW-1 on a Nokia box to allow employees access to the corporate network using a virtual private network. Although users have been provided with certificate authentication and Secure Remote Client software, my division is installing a second FW-1 on an NT box to secure our network from the corporate network even further.

We are concerned about split tunnelling. Since some users will not likely use due diligence to ensure they are not surfing the Web while accessing the corporate LAN, I would like to know if there is a way to recognise that a client has opened themselves up and -- even more importantly -- can the connection automatically be dropped somehow?

If you are using the VPN-1 SecureClient Policy Server, you can do this. According to the documentation found at http://www.checkpoint.com/products/secureclienttour/managers_perspective.htm l, what you need to do is establish a policy of "Allow Encrypted Only" for your desktop security. When a client connects to your corporate network, the FW-1/VPN-1 will verify that the client has the correct configuration, which in this case means "Allow Encrypted Only" or more simply, no split tunnelling. If the client is not in that configuration, the VPN tunnel is not established.

What I cannot answer for certain, is what would happen if a client establishes a tunnel and then attempts to change the configuration. My guess is that to do so, they would have to end their current connection. Thus when they re-connected, the same check would occur and the tunnel would fail. However, I do not have the needed hardware or software on hand to test if that is indeed true or not.

This was last published in August 2001

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.