During studying for information assurance, I have read that split tunnels are bad. You basically have your VPN tunnel exposed to the world thru the PC with the split tunnel. Is this still considered a bad practice? My current employer is using split tunnels and wondering if there is something I am missing.
The big positive for using split-tunneling is it doesn’t use your central internet to serve all of your remote clients. Meaning everything hairpins back through the VPN endpoint. This slows down connections, and puts more load on the central internet connection. It is a security concern, but it can be a life-saver for companies with a slower central connection.
While not the best practice it is sometimes necessary. For instance We had field staff visiting client sites that would need to connect back to home office resources while also connecting to client network resources. The main issue is use case for the VPN.
I have yet to run into a business that doesn’t have much lower hanging “security fruit” than having split-tunnel VPNs.
It does open a security hole. Could use the PC as a jump point from the internet into the private network.
Split tunneling has its uses, but generally, for security/compliance reasons it is not considered best practice. Some standards, like NIST SP800-53, have controls that prohibit this (in this case, control SC-7 (7) PREVENT SPLIT TUNNELING FOR REMOTE DEVICES). There may be scoping implications with other standards, like PCI DSS. To tell the truth, it really just depends on the specific circumstance, the network and system configurations and roles, what (if any) security control standards, apply, etc.
Denying split tunneling is somewhat more likely to cause problems than allowing split tunneling. But the nature of VPNs is to cause complications^1 and to conflict with each other, so the actual best answer is to use no VPNs of your own, and only use the VPNs of other organizations when you have no reasonable alternative.
- ^1 Path MTU, TCP-in-TCP congestion control problems, routing conflicts, and IPv4 address range overlap problems, primarily. Other classes of problems are more rare, but happen.
One of the biggest hospital in the us just pulled all their split tunnels from contractors. Times are changing