Re: LAN access while VPN is up

In the Usenet newsgroup comp.security.firewalls, in article
<68f9f.1790$J14.80418@news20.bellglobal.com>, Triffid wrote:

>I've forgotten my reason - no doubt it was bizarre.

The two most common reasons for choosing the "Class A" range of RFC1918
are: 1) it's the first one listed in the tables of such addresses; and
2) people think it's impressive - forgetting that the address doesn't
appear on the Internet, and no one else is going to know you are using it.

>The tunnel runs from my laptop to my employer's VPN switch. The intent
>of the client configuration enforced by the switch is to prevent my
>laptop having simultaneous access to the corporate intranet and public
>internet.

That's done with procedure/policy here. The system I have to connect to
the company net has one network interface - to that net only. My home
systems are on a different net, physically isolated from the company
computer - the classic "air gap". I can also get in to the company
net via SSH over the Internet, but the number of hoops to jump through
makes using the company box preferable. Yes, that means two data links
in the house.

>The VPN client on my laptop routes everything except 192.168.0.0/16 up
>the tunnel, and disconnects the tunnel if I mess with the routing table.
>Since my local LAN isn't 192.168.x.x, it's unreachable while the tunnel
>is up.

Got it. I've got a minor advantage that I have 'root' (admin user) on
all systems here, including the company box, which would allow me to
do a lot of things. The company box has a non-routable address (they
see no reason why I need a real address), and if I'm really desperate
to reach the Internet without using my own systems, I can SSH into a
system at work, and reach out from there.

        Old guy
Received on Mon Nov 21 02:36:42 2005