Nortel's VPN solution is the same way: they have a kernel module as well. That version does
allow the server to allow the client to use split tunneling, where only the VPN-bound traffic
goes through the VPN but all "public" traffic uses the native network interface. This allows
for a much faster and more reliable user experience, at the sacrifice of some security (since
now that host becomes an unsecured gateway onto the private network).
Nortel's solution also does something else which I'm not sure Cisco does, to mitigate this:
while the VPN is running they disable all incoming connections to privileged ports (ports
<1024). That means that, while the VPN is running, no incoming connection to your printer
service, ssh, HTTP, SMTP, etc. etc. is allowed. If you use your home system as a server for a
local network, this completely shuts down all services unless you've done the work to move
them to unprivileged ports.
However, it provides slightly better security since it disallows most of the connections that
could be compromised to enter the private network through that system. Obviously you could
start your SSH server on a different port but the attacker would have to know that port... and
presumably someone knowledgeable enough to move the service would also be better at securing
the system against attack (yes, I know... but the alternative, to disallow split tunneling, is
even less palatable).
Now here's the real trick, that requires a kernel module: if you change your routing tables in
ANY WAY or try to re-enable those ports, then the VPN is automatically, immediately shut down.
I understand where drag's frustration comes from, but I don't see any proof that these
facilities REDUCE security. They definitely reduce productivity of an individual, insofar as
they have to work within this restricted environment. As always, these things are a
compromise: it will certainly reduce a LOT of peoples' productivity if a nasty virus or worm
gets loose on the private network. I certainly don't like kernel modules: when I used
Nortel's solution it was always a huge pain since they didn't support Debian (my distro at the
time) and support for new kernels was very slow to come.
If you don't want anything like that, you can get Juniper's VPN solution. Theirs is
user-space only and does support split tunneling but doesn't provide the guarantees that Cisco
and Nortel's solutions do.
The big bummer with Juniper's solution is their install/startup scripting is truly horrible.
It works, just barely, on Red Hat Enterprise Linux systems, but refuses to work on most other
systems for no reason except that the person who wrote it didn't know what they were doing.
Very frustrating. However, since it's a script and the solution is userspace it is possible to
work around it: I've written a simple alternative script that works pretty well.