cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion

WFH Epic Fail: VPN Split Tunneling

Think your communications are safe? What about that connection to your corporate application? Many corporate VPNs simply allow sensitive data to shuffle across the Internet. How? They allow split tunneling (previous discussion is here). IT loves to offload as much traffic as they can onto the Internet. In this new era of WHF don't you think you should be reviewing your VPN traffic and shaping policies? Buckle up or loose your data.

5 Replies
CraginS
Defender I


@AppDefects wrote:

Think your communications are safe? What about that connection to your corporate application? Many corporate VPNs simply allow sensitive data to shuffle across the Internet. How? They allow split tunneling (previous discussion is here). IT loves to offload as much traffic as they can onto the Internet. In this new era of WHF don't you think you should be reviewing your VPN traffic and shaping policies? Buckle up or loose your data.


"But if I don't have split tunnel how can I send my office report to my printer at home?"

 

That was the basic complaint years ago when colleagues on WFH days learned of that limitation. IT chiefs2 ,CIOs and CISOs should hold firm on the rule of no split tunnels, and point out those folks can work just fine without paper copies.

 

Craig

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Early_Adopter
Community Champion

Amen.

HTCPCP-TEA
Contributor I

Recently had the exact same conversation with C-suite - not interested in stirring the hornet's nest during the current crisis. 

 

So, implemented a new sort of split tunnel based on route at source. All our cloud apps are now routed over VPN and then internet, allowing all other traffic to go out locally. It's not perfect, at all, but it's a better middle ground to build from. 

 

fun times. 

denbesten
Community Champion


@CraginS wrote:

"But if I don't have split tunnel how can I send my office report to my printer at home?"

Or, allow split tunnelling to 192.168.0.0/16.  Fixes local printers while still intercepting the Internet.

 

Security is more about finding a balance everyone can accept than just enforcing "best practices". 

Caute_cautim
Community Champion

HI All

 

But there are alternatives to Split tunneling.

 

Just ensure you have a printer, which accepts Bluetooth or WiFI connection from the Work Desktop locally?

 

You are in control of the printer i.e. it is almost beside you, it is part of your own local network.

 

The alternatives are filtering, egress monitoring, all of which are overheads, which the organisation may not implement but actually put the emphasis on the individual abiding by the corporate regulations, Acceptable Use Policy or similar.   Or in fact monitor discretely via usage of remote agents.

 

Regards

 

Caute_cautim