But weakening your security posture on purpose because you're concerned that people might be watching too much Youtube on their work machines when working remotely sounds like an HR issue and not a technical issue. Again, this isn't to discount the cost constraint, or the load placed on the server. You're paying for twice the bandwidth for the same stream if you send it over VPN, but maybe your users don't need to be streaming in the first place, depending on your organizational policies. If you're concerned about loads from streaming by VPN users, you probably just generally need to be concerned about loads from streaming. Essentially that compromised laptop becomes a pivot point from the internet into the trusted segment, bypassing the perimeter defenses. Assuming the endpoint is compromised, while the VPN connection exists the attacker has a foothold into the network.Endpoint agents mitigate the risk here, but you then lack the defense-in-depth of multiple security layers for that remote endpoint The endpoint no longer benefits from those same perimeter devices in terms of protection from threats such as drive-by exploits, malware downloads, phishing sites, etc.dropbox, etc.) is potentially limited, as that traffic will leak outside the VPN tunnel and will not be routed through any edge devices you have in place to control that flow (app-aware firewall (NGFW), IPS, etc.) Excepting other proxies, your ability to control traffic to cloud services that allow file sharing (e.g.That provides you, essentially with a default route to your default gateway and then specific routes for your internal subnets pointed at the virtual tun/tap device which exists for the VPN.įrom a security standpoint, you've essentially punched a hole in the perimeter which provides for the following: You're probably considering "send data for the corp network over the VPN and send everything else to the internet". If you split the tunnel on the remote endpoint, you have two (or more) data paths. Cost is one of the main engineering constraints and can't be discounted, but this is a security board, so you'll get a security answer. Split tunneling can, of course, reduce the cost of bandwidth for your organization.
0 kommentar(er)
