cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

VPN - Disallow networks accessible via access policy "exclude" or via APM ACL instead?

Fallout1984
Cirrocumulus
Cirrocumulus

From what I can tell, there are two ways to block access to certain networks via VPN; either by adding them to the "exclude" section of the access policy they're assigned, or by adding an ACL step in APM. An excluded network will still be pushed to the client, but the metric assigned will tell it to go out the "local" connection rather than the VPN tunnel. With an ACL, it's just blocked at the F5.

 

My question is, beyond the example above, is there a reason to use one method over the other? I'm thinking an ACL would be preferable if one wants to "hide" the network(s) they don't want VPN users going to.

 

Thanks!

1 ACCEPTED SOLUTION

IMHO, ACLs are the safest way. Excluded networks setting is part of the split tunneling configuration so it is strictly related to routes pushed to the client. With ACL, you are actually controlling what is allowed or not in the BIG-IP side. The difference may not seem important, but recently I was able to trick my windows host to change the routing entries of my machine in order to bypass the split tunneling configuration pushed to the client VPN, though it was with another -so popular- vendor VPN client that claims its global protection features 😜

View solution in original post

1 REPLY 1

IMHO, ACLs are the safest way. Excluded networks setting is part of the split tunneling configuration so it is strictly related to routes pushed to the client. With ACL, you are actually controlling what is allowed or not in the BIG-IP side. The difference may not seem important, but recently I was able to trick my windows host to change the routing entries of my machine in order to bypass the split tunneling configuration pushed to the client VPN, though it was with another -so popular- vendor VPN client that claims its global protection features 😜