Our small company works with a large company and must access their customer data daily. In addition to assigning logins, they make us download a certificate on each computer we plan to use, and somehow set up a Cisco VPN inside Internet Explorer. Once logged in, that browser cannot access our corporate intranet, and if I visit whatismyip.com, it shows a different domain than the one at work.
What might be the reasoning for this strategy? If we are directly on their network rather than accessing limited info through a web interface, wouldn't that be less secure?
I use a Cisco ASA 5510 with Clientless SSL VPN for vendor and business partner access at our company. Here is why it makes sense:
When partners access our VPN website, a normal SSL (HTTPS) connection is made for encryption. Once there, almost everything can be done over HTTPS without creating a full VPN tunnel to our network. From the site users can access SMB shares, internal websites, etc. There are even browser based clients available for RDP and VNC if necessary. The benefits to this are:
Employees access our VPN using Cisco's full SSL VPN client (called AnyConnect) which gives them the equivalent of a traditional IPSec VPN tunnel.
Not sure why they are having you install a certificate. This may be because their SSL cert is self-signed and would otherwise throw up a browser warning at each connection.
Hope this clears things up.
Thanks.
Depending on how big company has set up their firewall, VPN may or may not be less secure.
I think this is a case of "one size fits all", they probably give the same access to everyone, no matter if they acrually need it or not as this is the cheapest and most comfortable solution.
In similar cases I give external customers SSL+client certificate access, together with username and password for the particular service.
Client certificates prevent casual password guessing and URL manipulation/injection attacks, but user/pass for the specific service is still needed since once you have handed out the client cert to someone you have no control over what they do with it, unless it is on the smartcard, but this is a much more complicated (read expensive) story.
The VPN is providing encryption of the data you are accessing so that someone between you and them cannot sniff the sensitive data. It also requires that you connect to the large company's internal network which is way more secure than having an internet accessible page that anyone could get to. Making you download a certificate also means that in order to access their network, someone would have to be on one of your computers. It couldn't be just some random user that tries logins and passwords against a web interface until they get access.
I don't use the vpn in browser, but I get your problem even on a desktop vpn client. This is what I on Windows to be able to connect to machines in local network
If you check
ipconfig /allit should show your local network IP as well as VPN assigned IP. Say you local IP is 10.0.0.5 and you want to connect to 10.0.0.3 on your local network.You add a route to 10.0.0.3 as follows:
This has always worked for me, on multiple different VPNs. IIRC Cisco VPN client also has an option to bypass vpn for local access.
Apparently, this is a default behavior for many a type of VPN, being it Cisco SSL based or not. I had cases with VPN clients when it was impossible to change default gateway on the client, so looks like this behavior can be changed on server side. You should ask VPN administrator in a "Large" company for local lan access (if this is what you need).
Limiting access to any destination other than defined in the VPN tunnel is known as split-tunneling and is done to prevent the remote machine from acting as a conduit for malware from the Internet into the private network.