4.6 Split Tunneling

Previous page
Table of content
Next page


4.6 Split Tunneling

Common to VPN discussions is the term "split tunneling." This refers to the routing of information with a VPN tunnel present. A common scenario is a remote client from a SOHO network creating a VPN tunnel to a corporate gateway. The remote client has two options for sending data. When split tunneling is used, only information destined for the network internal to the VPN gateway is sent encrypted down the VPN tunnel. Packets destined for other remote sites are sent normally. When split tunneling is disabled, all packets are sent through the VPN tunnel, no matter the destination.

While the definition of split tunneling is simple enough, the consequence of allowing or disallowing split tunneling should be considered when planning the implementation of a security policy.

Allowing split tunneling for VPN clients improves the performance of both the client Internet connection and the corporate Internet connection. Referring to Exhibit 2, on the left we see a client sending packets to the corporate network encrypted over the VPN. When the client is sending to an Internet site that is not part of the VPN, however, packets are routed normally over the Internet. Compare this to the illustration on the right, which shows a network with split tunneling disabled. All traffic from the client PC is sent over the VPN. That means, for general Internet traffic, the packet must first be encrypted, sent over the VPN, routed on the remote company network, and then sent over the Internet to the ultimate destination. Return traffic follows the same process in reverse. This not only adds delay to the user experience, but it also increases the bandwidth usage of the corporate network. The advantage of not allowing split tunneling with VPN clients is that all traffic must pass through the company network. This means that remote user traffic must conform to the same security policy that users on the LAN must follow. It also makes it more difficult for the company to be threatened by compromising remote clients and launching an attack from that compromised client into the corporate network. If split tunneling is allowed, it is possible for a remote attacker to take control of the user computer over the Internet and then use the client PC's VPN connection for a tunnel directly into a company LAN.

Exhibit 2: Split Tunneling

start example

click to expand

end example

Most VPN solutions allow administrators to choose whether to enable split tunneling. This can be configured on the VPN gateway and pushed to all clients. Generally, split tunneling is prohibited while the VPN is active and enabled when the VPN is inactive. This means that while the VPN is connected, all user traffic is encrypted and sent over the company LAN.

Split tunneling also has some applications for wireless network security. For companies that have needed secure wireless connectivity on short notice, it has been possible to create a VPN over the wireless network to a VPN device. By prohibiting split tunneling over this VPN connection, only encrypted traffic is ever sent over the wireless network.


Previous page
Table of content
Next page
Network Perimeter Security. Building Defense In-Depth
Network Perimeter Security: Building Defense In-Depth
ISBN: 0849316286
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Cliff Riggs
BUY ON AMAZON
Java I/O
Inside Network Security Assessment: Guarding Your IT Infrastructure
Snort Cookbook
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
The Complete Cisco VPN Configuration Guide
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy