Safe Internet Access While Logged In As VPN CLient

[JIMB]

Safe Internet Access While Logged In As VPN CLient

We have MSESKSB SERVER w\Firewall.

My question is, can the VPN (outside!) (WAN,) client's
while logged in to the Server & going through our
Firewall, be able to access the internet through another
port on the Firewall or from their own systems without
jeopardizing & opening up the virtual & private connection
to the outside internet world?

I know there is a switch we can set on the VPN advance
TCP/IP properties to allow this, However, I also know that
this "opens" & defeats the reason for the Virtural &
Private Conection.

Can this be done safely? If so, how?

As Always, I Look Forward In Hearing Your Advise Jim B.


..

 

[Bill Grant]

This is a topic that security specialists can talk about for hours!

As I understand it, giving remote clients Internet access through your
firewall should not make any difference to your overall security. The
connection to the Internet is essentially the same as an Internet connection
from a LAN client. All traffic to and from the Internet is screened by the
firewall. But it puts an extra load on both your VPN server and your
firewall, and will slow down the remote client's Internet browsing.

The other option is to use "split tunnelling". This involves clearing
the "use default router .. " box in the client's connection properties. With
this method, the client still accesses the Internet directly, and only the
LAN traffic goes over the VPN link. This method does decrease the security
of your LAN, because there is now a possible path to your LAN from the
Internet through the split tunnel. Traffic coming to your LAN via the remote
client will not be screened by the firewall, because it comes through the
firewall as encrypted data travelling as the payload of another packet.

Only a security expert could tell you how likely this threat is.