Juniper MAG/SA question - re: split tunneling policy and use of JSAM/WSAM
Hello J-NSP and Nanog members Hopefully this is the right forum for this discussion - if not my apologies for further clogging your inbox. Here it goes: Would you consider use of JSAM/WSAM to selectively proxy and tunnel certain applications a form of split tunneling? The traditional concept of split tunnels looks at all traffic Layer 3 and above, versus JSAM/WSAM which looks at application traffic at Layer 7. The context for all of this is from a previous question I put out regarding split tunneling policy on government networks. Thanks!
On Tue, Dec 24, 2013 at 7:50 PM, Herro91 <herro91@gmail.com> wrote:
Hello J-NSP and Nanog members
Hopefully this is the right forum for this discussion - if not my apologies for further clogging your inbox.
Here it goes:
Would you consider use of JSAM/WSAM to selectively proxy and tunnel certain applications a form of split tunneling? The traditional concept of split tunnels looks at all traffic Layer 3 and above, versus JSAM/WSAM which looks at application traffic at Layer 7.
It's still Layer3, but it looks at the application name which sends the traffic in order to selectively tunnel specific destination networks and ports. I wouldn't call it split tunneling, but it depends on how your security policy classifies this kind of traffic. It's also worth looking at what risks this may bring to your exposed services as it check for process name, not necessarily for it to be valid (you can always create an outlook.exe app that tries to crash the Exchange CAS or something similar).
The context for all of this is from a previous question I put out regarding split tunneling policy on government networks.
participants (2)
-
Eugeniu Patrascu
-
Herro91