Last month, we wrote about Rene Poot’s thoughts on split tunneling. Here is the second installment from that conversation:
Spilt tunneling can also be used in conjunction with the local firewall that comes with the NCP client. Rather than locking the user in to the tunnel as described earlier, one can also just use a shorter list of the subnets or hosts that can be reached from home via the VPN tunnel at the corporate side, and all other is simply dropped by the local VPN client’s firewall. The user can then try to access expedia.com (our example from before), but it is simply dropped.
It all depends on how secure one wants to lock down this remote resource. He or she can extend the full restrictive measures imposed on the corporate environment to the machine at home or on the road as if they’re still partaking in the central network, or choose to be less restrictive using a combination of split tunneling and firewall rules on the client.
It should be mentioned that Cisco gateways will most often ‘publish’ these ‘whitelists’ to the client during the negotiations, and so the ‘split tunneling’ list is populated automatically. Other gateways don’t supply this, and so the client MUST either define it manually or automatically be locked in.
A helpful resource Rene recommends is Security Now podcast: episode 208
Follow this discussion on Twitter @VPNHaus
