Making Sense of Split Tunneling: Part 2

By Patrick Oliver Graf, General Manager of Americas, NCP engineering Last week, we provided an overview of split and full tunnel configurations. Here, we delve a bit deeper to explore the security benefits of this technology. Split tunneling has a variety of advantages: It only transmits data that actually requires the protection of a VPN. This leads to smaller workloads for VPN clients, server and gateways. It enables strict separation of corporate Internet traffic and private Internet use. It conserves bandwidth within the VPN connection since it does not have to transmit private data. Despite these gains, many IT administrators still have reservations about split tunneling. Most notably, some believe split tunneling is a security risk because some data traffic is separated from the secure VPN tunnel and is not directed through the secure gateway. Others criticize the split tunneling concept as being too complicated and requiring specialized VPN clients. These concerns are further fueled by fears that an attacker might somehow be able to use the private Internet connection to gain access to the corporate network, which the user accesses through the VPN. However, none of these points are logical. Firstly, in order to route a private Internet connection into a VPN, the client has to have the bridging mode activated. This is not a default setting. Moreover, an administrator can use a group policy to deactivate the bridging feature and prevent the user from activating it. Additionally, the concern of infecting a corporate network with malware through a private connection is only partially valid. On the one hand, almost every company uses antivirus software to eliminate malware before...

Making Sense of Split Tunneling: Part 1

By Patrick Oliver Graf, General Manager of Americas, NCP engineering Split tunneling is not a new concept in the realm of remote access networking. The technology emerged in the 1990s to allow VPN users to access a public network and a LAN or WAN simultaneously. But despite this longevity, its merits and security continue to be disputed. So what is the reality, should split tunneling be allowed? Or should IT administrators steer clear? First, let’s take a closer look into how split tunneling works. In VPNs, there are basically two types of virtual tunnels that enable secure data transmission: full tunnels and split tunnels. In full tunnel mode, a remote corporate user establishes an Internet connection from a client PC, which then runs through the VPN. This naturally includes the user’s private data traffic. As a result, every time the user scans the web, be it for shopping on eBay, checking personal email, or accessing the company CRM, it is done through the company VPN gateway. In certain cases, a full tunnel configuration is necessary. For example, companies that frequently and closely cooperate with their partners to allow employee access to IT systems within their own networks should take a full tunnel approach. This, for example, enables employees and partners to access order lists or product data. In this scenario, however, a remote user only receives access to the partner’s server through the corporate VPN gateway and cannot access them through other connections. The other virtual tunnel configuration, split tunnels, only transmits data through the VPN tunnel from a website or from another IT service within the corporate network....

Q&A with Swen Baumann, product manager at NCP engineering

We recently spoke to NCP engineering’s Swen Baumann about split tunneling and its role in IPv6, and how to best deploy it when working remotely.  VPN Haus: How is split tunneling impacted by IPv6 dual-stack networking? Swen: The main thing to remember is, split tunneling needs to be specifically configured. For instance, in a “dual-stacked” world – which implements both IPv4 and IPv6 stacks — you will have to configure either both or just only one, depending on which stacks you plan to use. Once you’ve completed this configuration, split tunneling will be processed — no matter if the traffic is IPv4 or IPv6. Simply put, to enable split tunneling on IPv6, you only need to configure the stack – but otherwise it should run smoothly. VPN Haus: How does split tunneling differ from inverse split tunneling? Swen: I know it’s stating the obvious, but it’s inverse. Here’s what that means. With conventional split tunneling you configure some networks that are to be processed within the tunnel, which means there are others not be taken into the tunnel. With inverse split tunneling it is just the other way round. You configure those networks that are not be processed through the tunnel and all the rest will be taken into the tunnel. In other words, split tunneling becomes the rule — not the exception. VPN Haus: In cases of split tunneling for the home office, do you recommend the corporate VPN be set as the default gateway to first route all traffic, dropping those requests deemed unnecessary to secure? Swen: Usually yes. But ultimately, it depends on the security policies...

Don’t Worry, IPv6 Won’t Break Your Existing IPsec VPN, Part 2

Editor’s Note: For part one, click here. By Daniel P. Dern So, how does a company add IPv6 support? “Your operating systems have to be IPv6-ready,” said Rainer Enders, CTO, Americas, for NCP engineering. “Your network providers have to support IPv6, in a secure way. Check whether they support native IPv6 end-to-end, for a full backbone if possible, as opposed to ‘split tunneling’ – we feel the latter is not a good idea and have concerns about that approach. Some ISPs are already rolling out pure native IPv6, especially for business-class service, and some will soon also be doing this on the consumer side.” Split tunneling is when a VPN user is accessing a public network and a LAN or WAN, using the same network connection.  The public network, however, can pose a threat to the LAN or WAN, if it becomes vulnerable. If IPv6 isn’t available end-to-end within your enterprise, “We recommend staying with IPv4 for now,” says Enders. “This is some of why IPv6 is slow to roll out. And you have to make sure all the relevant components are fully IPv6-compliant.” Meanwhile, advises Enders, “If I were shopping for an IPsec or VPN technology, I would look for a vendor that offers a true dual-stack implementation of IPv6 and IPv4, so you are future-proofed. And the same applies when you have a refresh cycle — make sure you are getting true native support for IPv6.” This provisioning includes any broadband gateways that home or remote users are getting, and also desktop operating systems. (Note: Both Windows 7 and MacOS include IPv6 support — however, this does...

Don't Worry, IPv6 Won't Break Your Existing IPsec VPN, Part 2

Editor’s Note: For part one, click here. By Daniel P. Dern So, how does a company add IPv6 support? “Your operating systems have to be IPv6-ready,” said Rainer Enders, CTO, Americas, for NCP engineering. “Your network providers have to support IPv6, in a secure way. Check whether they support native IPv6 end-to-end, for a full backbone if possible, as opposed to ‘split tunneling’ – we feel the latter is not a good idea and have concerns about that approach. Some ISPs are already rolling out pure native IPv6, especially for business-class service, and some will soon also be doing this on the consumer side.” Split tunneling is when a VPN user is accessing a public network and a LAN or WAN, using the same network connection.  The public network, however, can pose a threat to the LAN or WAN, if it becomes vulnerable. If IPv6 isn’t available end-to-end within your enterprise, “We recommend staying with IPv4 for now,” says Enders. “This is some of why IPv6 is slow to roll out. And you have to make sure all the relevant components are fully IPv6-compliant.” Meanwhile, advises Enders, “If I were shopping for an IPsec or VPN technology, I would look for a vendor that offers a true dual-stack implementation of IPv6 and IPv4, so you are future-proofed. And the same applies when you have a refresh cycle — make sure you are getting true native support for IPv6.” This provisioning includes any broadband gateways that home or remote users are getting, and also desktop operating systems. (Note: Both Windows 7 and MacOS include IPv6 support — however, this does...