Making Sense of Split Tunneling

Sunday, January 20, 2013

Patrick Oliver Graf


Split tunneling is not a new concept in the realm of remote access networking. The technology emerged in the 1990s to allow VPN users to access a public network and a LAN or WAN simultaneously. But despite this longevity, its merits and security continue to be disputed. So what is the reality, should split tunneling be allowed? Or should IT administrators steer clear?

First, let’s take a closer look into how split tunneling works. In VPNs, there are basically two types of virtual tunnels that enable secure data transmission: full tunnels and split tunnels. In full tunnel mode, a remote corporate user establishes an Internet connection from a client PC, which then runs through the VPN. This naturally includes the user's private data traffic. As a result, every time the user scans the web, be it for shopping on eBay, checking personal email, or accessing the company CRM, it is done through the company VPN gateway.

In certain cases, a full tunnel configuration is necessary. For example, companies that frequently and closely cooperate with their partners to allow employee access to IT systems within their own networks should take a full tunnel approach. This, for example, enables employees and partners to access order lists or product data. In this scenario, however, a remote user only receives access to the partner's server through the corporate VPN gateway and cannot access them through other connections.

The other virtual tunnel configuration, split tunnels, only transmits data through the VPN tunnel from a website or from another IT service within the corporate network. For all other connections, such as Facebook or web mail, the client PC directly accesses the providers' servers. Downloads from external websites are not directed through the corporate network and the VPN.

Split tunneling has a variety of advantages:

1) It only transmits data that actually requires the protection of a VPN. This leads to  smaller workloads for VPN clients, server and gateways.

2) It enables strict separation of corporate Internet traffic and private Internet use.

3) It conserves bandwidth within the VPN connection since it does not have to transmit private data.

Despite these gains, many IT administrators still have reservations about split tunneling. Most notably, some believe split tunneling is a security risk because some data traffic is separated from the secure VPN tunnel and is not directed through the secure gateway. Others criticize the split tunneling concept as being too complicated and requiring specialized VPN clients. These concerns are further fueled by fears that an attacker might somehow be able to use the private Internet connection to gain access to the corporate network, which the user accesses through the VPN.

However, none of these points are logical. Firstly, in order to route a private Internet connection into a VPN, the client has to have the bridging mode activated. This is not a default setting. Moreover, an administrator can use a group policy to deactivate the bridging feature and prevent the user from activating it.

Additionally, the concern of infecting a corporate network with malware through a private connection is only partially valid. On the one hand, almost every company uses antivirus software to eliminate malware before it even enters the company’s intranet. Furthermore, there are other sources of viruses and Trojans beyond the Internet—for example, USB drives and DVDs can also infect a user's PC. From this point of view, the raised risk of infection through split tunneling is hardly significant.

Split tunneling does not make a company network unmanageable, but it’s important to note that its manageability depends on the quality of the implemented VPN components.

The bottom line is that split tunneling should not be considered a security risk. However, client systems that use this technology should always be up-to-date. For example, security patches have to be installed promptly; personal firewall and antivirus engines have to be activated and updated on a regular basis; and potentially risky features, like bridging, have to be deactivated permanently.

Full tunneling is the better alternative for companies and authorities with extremely high security requirements. However, they have to accept the increased effort that comes with full tunneling and implement more powerful VPN systems and "big pipes" for VPN data traffic. Alternatively, it’s no longer appropriate to prohibit private use of the company computer in order to keep the data volume within limits. Ultimately, it comes down to efficiency. After all, it doesn’t take scores of data to know that companies that restrict employee access to corporate information also limit overall productivity.

Possibly Related Articles:
Information Security
Remote Access VPN Mobility Split Tunneling
Post Rating I Like this!
ammy jorden our split tunnel acl that you tried doesn't really make sense. Which network is the remote network? 172.16 or 192.168? You also want to change tcp to ip in the first statement and you should not narrow it down to individual ports like you did in the second statement. The drawbacks of doing it that way I guess.
eduardo munoz Split tunneling is a computer networking concept which allows a VPN user to access a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same physical network connection. This connection service is usually facilitated through a program such as a VPN client software application.
Dierk Bauer There are many variants of split tunneling that attempt to address this fundamental trust issue. Often when plain split tunneling is enabled, datagrams by default will go out the local network interface's default gateway. Only datagrams that are destined for IP networks behind the VPN terminator will go through the tunnel. This violates the principle of least privilege if a user does not absolutely require access to the entire Internet.
Victor murillo One advantage of using split tunneling is that it alleviates bottlenecks and conserves bandwidth as Internet traffic does not have to pass through the VPN server.
cansu ok Thank you so much.
suzo jogn I just came across your blog and reading your beautiful words. I thought I would leave my first comment but I don’t know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often. .
Bruce Wayne In my opinion split tunneling should be banned. It lacks security. Why should we take risk, when we have a better option? This article is very interesting, inspiring, entertaining, rare and valuable. Thank you for sharing this awesome article. Keep sharing.
windows live customer support
dev batista This is going to be a informative post to those people who wants to know about this. Thank you for sharing this. It’s aware me about this. I’m going to share this on to my friends.
dev batista A top new subject in this publish creates your website is significantly valued. Through this publish, we know that your excellent information, you have a brilliant yet eye-catching way of writing. read more
dev batista That is very exciting Grin I really like studying and I am often trying to find useful details like this. This is specifically what I was seeking. Thanks for discussing this excellent content.
dev batista I wish to say that this post is amazing, nice written and include approximately all important info. Glad to found this post. I would like to see more posts like this. Salute.
dev batista Yet another exceptional illustration of innovation, i am glad to discover it. There are so many developers functioning on this section but this is one particular of the greatest modern imagined at any time. Many thanks for sharing it below.
dev batista Yet another exceptional illustration of innovation, i am glad to discover it. There are so many developers functioning on this section but this is one particular of the greatest modern imagined at any time. Many thanks for sharing it below.
devid orton I would really prefer to give out a useful website meant for online accommodation reservations recommended to my advice by my best colleague together with friends.
begedir aja That is very exciting Grin I really like studying and I am often trying to find useful details like this. This is specifically what I was seeking. Thanks for discussing this excellent content.
begedir aja Namun ilustrasi yang luar biasa lain inovasi, saya senang untuk menemukan itu. Ada begitu banyak pengembang berfungsi pada bagian ini, tapi ini adalah salah satu tertentu dari modern terbesar dibayangkan setiap saat. Banyak terima kasih untuk berbagi di bawah ini
begedir aja Cu toate acestea, o altă ilustrare excepțional de inovare, mă bucur să-l descoperi. Există atât de multe dezvoltatori care funcționează pe această secțiune, dar acesta este unul special, de cea mai mare imaginat în orice moment moderne. Multe mulțumiri pentru schimbul de ea de mai jos
begedir aja Sin embargo, otro ejemplo excepcional de la innovación, estoy alegre para descubrirlo. Hay muchos desarrolladores que funcionan en esta sección, pero esto es un particular de la mayor moderna imaginado en cualquier momento. Muchas gracias por compartirlo abajo
begedir aja Ancora un altro esempio eccezionale di innovazione, io sono felice di scoprirlo. Ci sono tanti sviluppatori funzionanti a questa sezione, ma questo è un particolare della grande moderna immaginato in qualsiasi momento. Molte grazie per la condivisione di sotto
begedir aja Durung liyane ilustrasi ngédap saka inovasi, kula bungah kanggo nemokake iku. Ana supaya akeh gawe fungsi ing bagean iki nanging iki siji tartamtu saka modern paling mbayangke sawayah-wayah. Many thanks kanggo nuduhake iku ngisor
Page: « < 1 - 2 - 3 - 4 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.