Making Sense of Split Tunneling: Part 2
By Patrick Oliver Graf, General Manager of Americas, NCP engineering
Last week, we provided an overview of split and full tunnel configurations. Here, we delve a bit deeper to explore the security benefits of this technology.
Split tunneling has a variety of advantages:
- It only transmits data that actually requires the protection of a VPN. This leads to smaller workloads for VPN clients, server and gateways.
- It enables strict separation of corporate Internet traffic and private Internet use.
- It conserves bandwidth within the VPN connection since it does not have to transmit private data.
Despite these gains, many IT administrators still have reservations about split tunneling. Most notably, some believe split tunneling is a security risk because some data traffic is separated from the secure VPN tunnel and is not directed through the secure gateway. Others criticize the split tunneling concept as being too complicated and requiring specialized VPN clients. These concerns are further fueled by fears that an attacker might somehow be able to use the private Internet connection to gain access to the corporate network, which the user accesses through the VPN.
However, none of these points are logical. Firstly, in order to route a private Internet connection into a VPN, the client has to have the bridging mode activated. This is not a default setting. Moreover, an administrator can use a group policy to deactivate the bridging feature and prevent the user from activating it.
Additionally, the concern of infecting a corporate network with malware through a private connection is only partially valid. On the one hand, almost every company uses antivirus software to eliminate malware before it even enters the company’s intranet. Furthermore, there are other sources of viruses and Trojans beyond the Internet—for example, USB drives and DVDs can also infect a user's PC. From this point of view, the raised risk of infection through split tunneling is hardly significant.
Split tunneling does not make a company network unmanageable, but it’s important to note that its manageability depends on the quality of the implemented VPN components. For example, VPN gateways and clients like the NCP Secure VPN Client, support full tunneling and split tunneling. This solution requires minimal configuration effort, and it supports various platforms including Windows 8, Linux, Mac, and Android.
The bottom line is that split tunneling should not be considered a security risk. However, client systems that use this technology should always be up-to-date. For example, security patches have to be installed promptly; personal firewall and antivirus engines have to be activated and updated on a regular basis; and potentially risky features, like bridging, have to be deactivated permanently.
Full tunneling is the better alternative for companies and authorities with extremely high security requirements. However, they have to accept the increased effort that comes with full tunneling and implement more powerful VPN systems and "big pipes" for VPN data traffic. Alternatively, it’s no longer appropriate to prohibit private use of the company computer in order to keep the data volume within limits. Ultimately, it comes down to efficiency. After all, it doesn’t take scores of data to know that companies that restrict employee access to corporate information also limit overall productivity.