Looking for feedback on the advantages and disadvantages of VPN split tunneling. What are the security risks in using a split tunnel and how do they weigh against resource usage on the concentrator especially in high bandwidth consumption applications like video and streaming. Found the comments regarding IPV6 in the post below very interesting, thanks.
Split tunneling can, of course, reduce the cost of bandwidth for your organization. Cost is one of the main engineering constraints and can't be discounted, but this is a security board, so you'll get a security answer.
If you split the tunnel on the remote endpoint, you have two (or more) data paths. You're probably considering "send data for the corp network over the VPN and send everything else to the internet". That provides you, essentially with a default route to your default gateway and then specific routes for your internal subnets pointed at the virtual tun/tap device which exists for the VPN.
From a security standpoint, you've essentially punched a hole in the perimeter which provides for the following:
If you're concerned about loads from streaming by VPN users, you probably just generally need to be concerned about loads from streaming. You're paying for twice the bandwidth for the same stream if you send it over VPN, but maybe your users don't need to be streaming in the first place, depending on your organizational policies. Again, this isn't to discount the cost constraint, or the load placed on the server. But weakening your security posture on purpose because you're concerned that people might be watching too much Youtube on their work machines when working remotely sounds like an HR issue and not a technical issue.
A quick and brief comparison.
Only traffic that needs to come across the VPN crosses and “non-work related” traffic will not consume VPN bandwidth
Latency will not suffer for end users while web surfing
Users get best performance of whatever ISP they are connected to
Security should monitor all traffic on a remote client to protect against malware on the internet.
Auditing of all Internet access is not possible in this configuration if you require it from a compliance standpoint.
Users web browsing activity should be protected by encryption of the VPN connection in case they are in a coffee shop, public Wi-Fi or face man-in-the-middle attacks.
Split tunnelling and the risks around it are an industry debate for as long as I can remember (well since VPN clients have been around anyway). Whilst a little dated, an article here, describes the debate, and the lack of agreement (although the author does lean in one direction)
Performance aside (and that is a big contributor to the decision), one of the main things I've encountered which tends to influence things is that of home printing. Bypassing this on a forced tunnel, can be problematic at least.
Debates around malware protection / infection are spurious in my mind, as these will happen anyway, VPN or not.
To a malicious / disgruntled employee however with a bit of technical knowledge, split tunnelling can be a very good way of enabling exfiltration of data. (SSH tunnel through the "trusted" company endpoint to an internal corporate service, copy whatever data you want in and out - including rate limiting if you want to stay under the radar). Quite a challenge to mitigate - although will freely admit that it's probably easier to copy the data from a share whilst in the office, and then on to your home NAS when at home (DLP solutions don't tend to look at network file shares ...)
There are methods to mitigate - and newer technologies such as CASBs may help, although increasing levels of paranoia = more expensive.
My personal opinion though ? Protect the data - not the device. Ensure your access controls / monitoring etc over your corporate and customer data is appropriate according to it's level of confidentiality (don't spend too much time protecting stuff people can Google). At that point, the debate around split tunnelling is largely a moot point !
Remember the main purpose of a VPN is to protect the confidentiality of the data in transmission and to a certain degree it's integrity. If your primary use case for a remote users connection is to provide a secure transmission of confidential information then you would obviously lean towards not utilizing a split tunnel VPN.
But fwwidget, you are quite right in that deciding to allow or use that configuration is a decision weighing usability and functionality vs security that may be deciding factor.
If you need to monitor that endpoint more rigorously due to regulatory requirements, such as in the USA with regards to the processing and transmission of ePHI. Then it's security that weighs in and split tunnel VPN is not a configuration suggested.