cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer II

VPN Split tunnel pros and cons (especially for high bandwidth applications)

Looking for feedback on the advantages and disadvantages of VPN split tunneling. What are the security risks in using a split tunnel and how do they weigh against resource usage on the concentrator especially in high bandwidth consumption applications like video and streaming. Found the comments regarding IPV6 in the post below very interesting, thanks.

 

https://community.isc2.org/t5/Industry-News/Remote-Access-VPN/m-p/4527#M478

 

5 Replies
Highlighted
Contributor II

Re: VPN Split tunnel pros and cons (especially for high bandwidth applications)

Split tunneling can, of course, reduce the cost of bandwidth for your organization.  Cost is one of the main engineering constraints and can't be discounted, but this is a security board, so you'll get a security answer.

 

If you split the tunnel on the remote endpoint, you have two (or more) data paths.  You're probably considering "send data for the corp network over the VPN and send everything else to the internet".  That provides you, essentially with a default route to your default gateway and then specific routes for your internal subnets pointed at the virtual tun/tap device which exists for the VPN.

 

From a security standpoint, you've essentially punched a hole in the perimeter which provides for the following:

  1. Excepting other proxies, your ability to control traffic to cloud services that allow file sharing (e.g. dropbox, etc.) is potentially limited, as that traffic will leak outside the VPN tunnel and will not be routed through any edge devices you have in place to control that flow (app-aware firewall (NGFW), IPS, etc.)
  2. The endpoint no longer benefits from those same perimeter devices in terms of protection from threats such as drive-by exploits, malware downloads, phishing sites, etc. Endpoint agents mitigate the risk here, but you then lack the defense-in-depth of multiple security layers for that remote endpoint
  3. Assuming the endpoint is compromised, while the VPN connection exists the attacker has a foothold into the network. Essentially that compromised laptop becomes a pivot point from the internet into the trusted segment, bypassing the perimeter defenses.

 

If you're concerned about loads from streaming by VPN users, you probably just generally need to be concerned about loads from streaming.  You're paying for twice the bandwidth for the same stream if you send it over VPN, but maybe your users don't need to be streaming in the first place, depending on your organizational policies.  Again, this isn't to discount the cost constraint, or the load placed on the server. But weakening your security posture on purpose because you're concerned that people might be watching too much Youtube on their work machines when working remotely sounds like an HR issue and not a technical issue.

-- wdf//CISSP, CSSLP
Newcomer I

Re: VPN Split tunnel pros and cons (especially for high bandwidth applications)

A quick and brief comparison.

 

Pros:

 

Only traffic that needs to come across the VPN crosses and “non-work related” traffic will not consume VPN bandwidth

 

Latency will not suffer for end users while web surfing

 

Users get best performance of whatever ISP they are connected to

 

 

 

Cons:

 

Security should monitor all traffic on a remote client to protect against malware on the internet.

 

Auditing of all Internet access is not possible in this configuration if you require it from a compliance standpoint.

 

Users web browsing activity should be protected by encryption of the VPN connection in case they are in a coffee shop, public Wi-Fi or face  man-in-the-middle attacks.

 

Viewer III

Re: VPN Split tunnel pros and cons (especially for high bandwidth applications)

Split tunnelling and the risks around it are an industry debate for as long as I can remember (well since VPN clients have been around anyway).  Whilst a little dated, an article here, describes the debate, and the lack of agreement (although the author does lean in one direction)

 

Performance aside (and that is a big contributor to the decision), one of the main things I've encountered which tends to influence things is that of home printing.  Bypassing this on a forced tunnel, can be problematic at least.

 

Debates around malware protection / infection are spurious in my mind, as these will happen anyway, VPN or not.  

 

To a malicious / disgruntled employee however with a bit of technical knowledge, split tunnelling can be a very good way of enabling exfiltration of data.  (SSH tunnel through the "trusted" company endpoint to an internal corporate service, copy whatever data you want in and out - including rate limiting if you want to stay under the radar).   Quite a challenge to mitigate - although will freely admit that it's probably easier to copy the data from a share whilst in the office, and then on to your home NAS when at home (DLP solutions don't tend to look at network file shares ...)

 

There are methods to mitigate - and newer technologies such as CASBs may help, although increasing levels of paranoia = more expensive.

 

My personal opinion though ?  Protect the data - not the device.  Ensure your access controls / monitoring etc over your corporate and customer data is appropriate according to it's level of confidentiality (don't spend too much time protecting stuff people can Google).  At that point, the debate around split tunnelling is largely a moot point !

 

 

 

Newcomer I

Re: VPN Split tunnel pros and cons (especially for high bandwidth applications)

Remember the main purpose of a VPN is to protect the confidentiality of the data in transmission and to a certain degree it's integrity.  If your primary use case for a remote users connection is to provide a secure transmission of confidential information then you would obviously lean towards not utilizing a split tunnel VPN.

 

But fwwidget, you are quite right in that deciding to allow or use that configuration is a decision weighing usability and functionality vs security that  may be deciding factor.

 

If you need to monitor that endpoint more rigorously due to regulatory requirements, such as in the USA with regards to the processing and transmission of ePHI.  Then it's security that weighs in and split tunnel VPN is not a configuration suggested.  

Newcomer III

Re: VPN Split tunnel pros and cons (especially for high bandwidth applications)

I've always thought that disabling split tunneling is a bit of a Security Theater type of thing. I think any of us can easily argue either side of this, but I think the security gains from split tunneling can also be had by good web filtering and other egress protections.