[167206] in North American Network Operators' Group
Re: Cisco ScanSafe, aka Cisco Cloud Web Security
daemon@ATHENA.MIT.EDU (Justin M. Streiner)
Wed Dec 4 14:07:57 2013
Date: Wed, 4 Dec 2013 10:33:31 -0500 (EST)
From: "Justin M. Streiner" <streiner@cluebyfour.org>
To: NANOG list <nanog@nanog.org>
In-Reply-To: <CALgc3C42yOW8NpZ1bu9wUCONNkkXtOmcj=J00512TN+ACa+E1A@mail.gmail.com>
Cc: Cisco-nsp <cisco-nsp@puck.nether.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> First of all, why are you allowing or disallowing split tunnel networks ?
>
> There is always the risk that he/she may get infected with some malware
> that your antivirus does not recognize and it spreads through the internet
> network when the user VPNs to the corporate network.
From what I've seen, many government agencies - particularly those
that work with sensitive data - take a very risk-averse position when dealing
with remote access - if it is allowed at all.
Such networks also tend to be fairly compartmentalized out of necessity.
Still the possibility of a breach that originated from a user that was
VPN'd in and happened to open "not-infected-srsly.zip" gives IT admins in
such environments more than a bit of heartburn.
jms
