On Wed, Dec 4, 2013 at 5:53 PM, Herro91 <herro91@gmail.com> wrote:
Hi,
I'm doing some research on the Cisco Cloud Web Security offering, also known as ScanSafe.
Has anyone on the lists explored Cisco's ScanSafe SaaS offering, now called Cisco Cloud Web Security - as a means of providing protection in the cloud that would potentially negate the requirement to have a full tunnel (i.e. allow split tunneling) for teleworkers?
First of all, why are you allowing or disallowing split tunnel networks ? The only case I see when you want to route all traffic through the gateway is when you have a big network that changes constantly and you don't want to update ACLs all day to make sure a teleworker can reach certain equipment no matter what. Other than that, when the laptop is not connected to the VPN and the user can browse whatever site on the internet and from a security standpoint there is no benefit. There is always the risk that he/she may get infected with some malware that your antivirus does not recognize and it spreads through the internet network when the user VPNs to the corporate network. Even with a malware cloud service, you still have security gaps and opportunity windows for attackers to get to you. One thing is that it not always feasible to have a proxy set up in your browser all the time as for example it would be impossible to connect to the internet when you are at a hotel that has a captive portal. And in order to get access you will have to disable the proxy, log into the captive portal, pay (optionally), accept the terms and reactive the proxy settings in the browser. And fi you forget to do this... well, you're on your own and hope for the best and that the locally installed AV and anti-malware solution is "good enough". What I would suggest is that you only allow access to some jump hosts (linux/windows/etc) that are being protected by adequate security measures such an IPS. This also assumes that the same level of protection exists between your user network and server network, otherwise it's pretty much game over once the user is back in the office with full network access. Regards, Eugeniu