Lightweight VM to use cisco vpn

[aniruddha23]

Hi guys I am trying to figure out an alternative to split tunnelling out cisco vpn software access as the network guy is concerned with the security risks.

The basic problem comes in when developers and other personnel use vpn to access remote datacenters and no longer have internet access.

I was proposing an alternative where we use a virtual machine exclusively for vpn use so that the main desktop can still have internet and email access.

This works for my desktop where i use a xp vm but for people with laptops it will slow them down.

Can you reccommend alternative lightweight os solutions which i can run in the vm and will at the same time support a cisco vpn client. it should be able to browse the internet use ssh tools and other basic day to day tasks.

We currently use vmware workstation but if there are more lightweight alternatives ot that I am open to those too.

Any suggesstions / Help is much appreciated.

Thanks much

 

[Nothinman]

VirtualBox may be an option, although I don't know if Oracle's had time to castrate it yet. But really, if you need a whole other second copy of the OS to run you're going to take resources from the host, there's no way around that. And the security risks are only slightly less with the VM solution because that VM has access to the same network as the host. You can help mitigate that with things like always reverting to an old, known good snapshot, etc but getting users to do that consistently will be a problem.

I really don't see the problem with split tunneling and so far no one has come up with a good argument for disabling it. The threat of letting a PC connect to your VPN is the same whether I can get to the Internet just before the connection or during. If I've got some virus on my machine then I've already got it and it'll spread regardless. Ask him to actually explain the risks and I'll bet he can't other than "Because this doc said so". But if it's a blind, enforced corporate policy you're screwed.

 

[aniruddha23]

I agree with your points about split tunnelling. Something about it just seems amiss though. But yes i will talk to the network guy again.

one of the reasons i thought a vm option would be attractive is because i could put in a lightweight linux vm which would hopefully be a lot less vulnerable to malware and viruses than xp. and let only linux based hosts onto the vpn. i dont want to start a linux windows flamewar here but it seems it would be a better choice.

 

[Nothinman]

I agree with your points about split tunnelling. Something about it just seems amiss though. But yes i will talk to the network guy again.

one of the reasons i thought a vm option would be attractive is because i could put in a lightweight linux vm which would hopefully be a lot less vulnerable to malware and viruses than xp. and let only linux based hosts onto the vpn. i dont want to start a linux windows flamewar here but it seems it would be a better choice.

I guess that depends on what you need to do on the VPN, if it's just RDP, ssh, etc then yea Linux would work fine. But if you need Outlook for email over MAPI or something then that obviously wouldn't work.

 

[aniruddha23]

I guess that depends on what you need to do on the VPN, if it's just RDP, ssh, etc then yea Linux would work fine. But if you need Outlook for email over MAPI or something then that obviously wouldn't work.

yes the VPN would be used mostly for RDP, ssh, browser based admin interfaces and maybe access some nfs/samba shares.

My main concern is with the cisco vpn client and its support on the linux distro.

am currently looking at lubuntu

 

[Nothinman]

yes the VPN would be used mostly for RDP, ssh, browser based admin interfaces and maybe access some nfs/samba shares.

My main concern is with the cisco vpn client and its support on the linux distro.

am currently looking at lubuntu

I use vpnc and it works on 99% of the Cisco IPSec VPNs we have setup on our clients' ASAs.

 

[aniruddha23]

I use vpnc and it works on 99% of the Cisco IPSec VPNs we have setup on our clients' ASAs.

Thanks for the tip. we use asa's too so hopefully it should work. will update once done.

 

[mikeyes]

I have the same situation at home. I downloaded the free VMware Player and setup a small XP vm with the software I needed and the Cisco VPN client.