This article on protecting remote workers promotes "split tunneling" as a good thing. I totally disagree with that premise - maybe it is all those years of working under a mountain. I have yet to see any organization take the time to actually analyze the traffic of their remote workforce BEFORE deciding on an appropriate split tunnel configuration.
For instance, I've seen many organizations offload "web browsing traffic" because it is simply not connecting to a business application. What is in place today with split tunneling configuration is simply OOTB default dumbness. One example is offloading and permitting simultaneous connections to an enterprise network and PasteBin.com at the same time. See any problem with that?
I'd like to hear your experience on configuring split tunneling. Maybe it works for you...
IMHO, the greatest gap with the stated article is not "split tunneling", but rather that it fails to take into account that the laptop ('s data) itself is a valuable corporate asset requiring protections similar to those provided on-site. This is a fundamental gap in almost every "zero trust" discussion.
That said, your interest is in discussing split tunneling. All that really means is sending different classes of traffic over different communications paths. I do not consider split tunneling inherently bad... provided each of the paths have adequate controls.
A great example of this is how my company handles remote offices. O365 induced network costs forced us to cease hairpinning all our web browsing through HQ. Our solution was to build VPNs over a commodity ISP at each office to a cloud-based web-application-firewall (WAF). All web browsing (including O365) uses the WAF, with the remaining traffic (15%) still flowing over the traditional wide-area-network. By every measure, this is a "split tunnel", but it also reduces costs while maintaining control on both paths.
Now that Work from Home is so huge, the next step is to do similar while off-site -- one VPN to HQ and one to the WAF, both built using apps installed on the laptop. The only traffic we intend to allow escaping one of these two paths is outbound to the locally-attached LAN segment for printers, cable modem management, accessing WiFi login screens, etc.
In my opinion, split tunneling itself is just a small piece. I'd like to look at bigger picture.
I'd like to look at the setup in a bigger picture. For example, are we inspecting all traffic coming through VPN? What protection we have on the endpoint? Are we leveraging cloud solutions to extend protection to remote workers?
With cloud managed endpoint solution, or cloud managed web proxy/traffic inspecting solution, you will be able to inspect traffic regardless endpoint is onsite, offsite, traffic go through VPN to HQ, or traffic is going out directly through split tunneling.
Because even if you don't use split tunneling and you have all the traffic going back to HQ through VPN, there is still a great risk of endpoint got infected/compromised while it's not on VPN. Then when the infected/compromised endpoint connect to VPN it will affect other machines. (Unless you are doing Always On VPN, that's another scenario with different challenge.)
@AppDefects wrote:This article on protecting remote workers promotes "split tunneling" as a good thing. I totally disagree with that premise ....
YHGTBSM!
The CTO of a VPN provider actually said that???
Well, she is not and apparently never has been a security specialist. The background noted in the interview is as a systems engineer and a CTO, never mentioning any security work.
I completely agree, split tunneling immediately puts the entire connected infrastructure of the enterprise at risk.
Remote workers beg for split tunneling so they can print documents away from the office. BAD IDEA to use split tunnels to provide that feature.
Ih really necessary (or boss into it by C-level officers), buy them a darn USB (wifi disabled) laser printer to have at home with the company laptop.
That particular VPN provider is now definitely off of any recommendation list or personal choice for me!
I worked on government sensitive but unclassified information remotely for 15+ years with a company laptop, encrypted drive, and enterprise VPN. Split Tunnel was absolutely verboten, as it should have been.
Craig
My previous employer permitted split tunneling, but only because the default permissive setting was not changed upon installation (as you said, "OOTB dumbness"). Also, it was not a competing requirement to fully comprehend the potential impact on our corporate network for enforcing split tunneling.
The org I work for now prohibits split tunneling, and every PC has far more substantial a defense-in-depth baseline requirement as well.
The article seems to point out that Nord is banking on zero-trust, so maybe that's why Ms. Gurinaviciute is taking such a bold step. As for me, now that I've experienced what it's like to fully secure endpoints and prohibit split-tunneling, I wouldn't dare go back.
On remote working for laptops... my take on the NW.
No split-tunnel.
No use of public Wi-Fi.
Everyone remote needs to use a secure access point at home or tether to their mobile device(admittedly this became viable because C-19 had decided that international travel wasn’t much of a thing anymore.
Snooping by family members guests is still a biggie, and people have loud voices too.
The true knowledge is above... or at least, your endpoints should only touch you infra, not other people’s dirty, filthy access points. Pop it all through the VPN and ‘beef up’... 🙂
im starting to worry about all those smartphones though... 😛
As an aside, not so relevant, but still a little here’s an advert for chocolate, Crunchy on the inside smooth on the outside vs armadillos crunchy on the outside, soft on the inside, alway tickled me with regards to Jericho Forum type conversations:
@Early_Adopter wrote:No use of public Wi-Fi.
Don't quite get why I ought to trust my user's home "Comcast" network any more than I trust "Starbucks". VPN implementations should universally implement something similar to Certificate pinning, where the client and head-end are both pre-configured to know what public cert the other side will be using. Then, to the extent that one trusts "encryption", one can trust that there is no MITM on the underlying transport.
For 20+ years now, my client VPN software has been configured to alert if the "key fingerprint" of the head-end changes (which sadly admin error has proven functional a few times and even more sad only 1% of the users reported-- blowing a hole in my entire argument).
That said, disabling the VPN and using Public WiFi ... without question that is bad mojo.
As I understood – in the article, they were talking NordVPNTeams way of implementing split tunnel that being used on a dedicated VPN server, NOT on the client. So it means that NOT all traffic goes to the campus – only that which is directed to the campus (HQ office) network, so all other traffic is safely encrypted and goes directly through the VPN server to the internet.
I think this is what they're speaking about:
https://pipelinepub.com/network-transformation-2021/NordVPN-teams-split-VPN-for-enterprises/3