The Cisco documentation makes a distinction between allowing LAN access 
and what they call "split tunneling, where the client has unencrypted 
access to the Internet while connected to the ASA or PIX".  See the note 
at the bottom of the introduction.  I think the point here is that only 
machines on the user's LAN would be included - of course, even that is 
dicey since your LAN could be everyone in the airport departure lounge 
with you.

Rama

On 10/15/2010 10:57 AM, Andrew Hendrickson wrote:
> That *is* split tunneling as I understand it.
>
> And in response to Marc, you've basically defined the entire dilemma
> of any form of security.  It is always a trade off between
> convenience and security.
>
> Unfortunately in our times, "security" can also be defined as "cost
> containment" and "lawsuit avoidance".  Because the potential cost of
> a security breach is quite high, convenience is on the chopping block
> most of the time.
>
> On Oct 15, 2010, at 10:54 AM, Rama Kocherlakota wrote:
>
>> Could we enable LAN access without enabling true split tunneling,
>> as in this document:
>>
>> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml
>>
>>
>>
Rama
>>
>> On 10/15/2010 10:39 AM, Marc Farnum Rendino wrote:
>>> Hmm... I'm as much a stickler as anyone for security (ask anyone
>>> :), however isn't this one of those situations where we're:
>>>
>>> - attempting to avoid a *potential* cost (ex: a security breach)
>>>
>>> - by paying a *certain* cost (ex: lost functionality, increased
>>> support costs, attempts to route around...)?
>>>
>>> And it seems to me that the potential increase in risk (of
>>> allowing split-tunneling) is minor, since the "horse is already
>>> out of the barn" so to speak, in that the security of the remote
>>> machines connecting in to the VPN is an unknown. And that's
>>> pretty much the same as the vast majority of machines on campus
>>> too.
>>>
>>> The cost/benefit doesn't seem to work out.
>>>
>>> On Thu, Oct 14, 2010 at 10:32 PM, Dan Brisson<[log in to unmask]
>>> <mailto:[log in to unmask]>>  wrote:
>>>
>>> Bryan is correct that security best practices dictate not using
>>> split tunneling.
>>>
>>>