Summary

When clients are connecting to the central site and split tunneling is enabled, it is possible for them to be compromised by attackers. When this occurs, the client's session can become a transport for attackers. To prevent any of these occurrences, personal firewall clients should be installed and activated on the individual clients.

The VPN 3000 Concentrator can enforce a firewall policy with vendors such as Cisco, NetworkICE, Zone Labs, and Sygate. When this policy is enabled, you can either require that the firewall be present when connecting or make it optional. If the policy is required, the assigned policy checks for the existence of the assigned firewall vendor. If it does not detect the client, the tunnel is not established. When the Firewall Optional setting is chosen, the VPN Concentrator allows clients to connect if the firewall is not detected; however, it sends a notification message to the client.

The Cisco VPN Unity Client supports its own stateful firewall that can be enabled from the client itself. This firewall allows DHCP and ESP, but all other incoming traffic is blocked unless it originates from the tunnel. This is a robust firewall, but it is not configurable.

The VPN Concentrator can support three different types of firewall policies. The AYT policy entails the concentrator sending an AYT message every 30 seconds to ensure that the firewall is still present. When the firewall is not detected, the tunnel is torn down. The CPP policy lets you define rules and filters to be pushed down to individuals in the group. Finally, the Zone Labs Integrity Server can work in conjunction with the VPN Concentrator to ensure consistent policies and enforcement in the enterprise workplace.