VPN Split-Tunneling – To Enable or Not To Enable

Virtual Private Networks (VPN) deliver extensive security to individual users as well as corporations and governments. VPNs establish a data tunnel with end-to-end encryption between the source of the VPN and the destination. Data on the front end (inside the individual’s network) and back end (systems on the destination network) do not include encrypted data unless the application or another network component provides the security.

While encryption delivers a critical security component, utilizing VPNs may introduce new risks to networks. These risks include threats from outsiders as well as harm caused to other internal security devices.

When deploying technology, organizations must understand the unintended consequences of their actions. Business requirements must lead technology decisions rather than seeing information technology professionals leading the way. Implementing split-tunneling, which allows end-users to bypass the VPN for non-related communications, creates numerous additional risks to entities utilizing VPNs. 

Virtual Private Networks
VPN technology began shortly after the internet came into being and still enjoys wide use throughout the world, primarily in government and corporate environments. Due to the nature of TCP/IP, and inherent lack of security, virtual private networks came about to create secure protocols between remote users and systems.

VPNs provide both benefits and drawbacks. A key facet with using a VPN for remote access involves what and how much data to send down the tunnel. When creating a VPN, network engineers have an option to enable “split-tunneling” which sets a determination of when data traverses the VPN. 

Split Tunneling
Enabling split-tunneling reduces traffic on corporate networks, increases speed through reduced latency for specific tasks and grants privacy to end users. These key capabilities, primarily traffic reduction and internal networks, lead most organizations to turn on split tunneling when they set up their virtual private networks. Users that understand this technology appreciate the privacy and enhanced performance through improved routing paths.

Since many businesses suffer bandwidth constraints, the decision to enable split tunneling becomes an easy one. Unfortunately, the lack of understanding inherent drawbacks opens these organizations up to new risks.

Visualize a user in Virginia that works for a company in California. When that user accesses network resources (email, file servers, corporate applications including payroll) at the corporate data center, their connection traverses most of the United States. When that user also wants to access internet resources located in New York, it makes no sense routing their traffic to the corporate data center in California only to go all the way to New York, back to California and then to Virginia.

With split tunneling enabled, the user simply goes from Virginia to New York over their personal internet service provider (ISP) connection. Note that this all holds true with Cloud deployments as well. Rather than use an example of a corporate office in California, imaging an AWS data center in Oregon.

Downsides Exist
While split tunneling offers obvious benefits, risks abound as well. Information security professionals place defensive technology throughout corporate environments to protect endpoints and prevent users from performing certain tasks, both intentionally and accidentally.

Environments utilizing split tunneling allow end-users to bypass certain devices including proxy servers designed to block and track internet usage. Additionally, if an end-user has an insecure network, they risk the corporate systems as well. Specifically, if a hacker compromised an employee’s home network through the split tunnel, they could potentially penetrate the corporate system. Once the bad actor has access to the same network hosting the company computer, the corporate network is at risk.

Users also may circumvent DNS, intrusion detection and prevention systems, data loss prevention devices and many more. Each of these technologies plays a key role in both communication and data protection. Bypassing these devices in the guise of performance increase and/or traffic reduction may not make sense. 

Proxy servers exist to limit traffic to disreputable websites and enable organizations to track where what their employees are doing. Among other benefits, proxies protect corporate endpoints from communicating with command and control centers run by hackers. Organizations also implement these devices to monitor and throttle traffic. Examples include limiting and/or removing access to streaming sites such as Spotify, YouTube, Netflix, and many others.

If an employee works through a split-tunnel, an infected system will send data to command and control systems and corporate IT would have no visibility. At the same time the system is communicating with a malevolent system, the employee spends their time browsing unacceptable sites on company time. With split tunneling enabled, the business would have zero visibility to either the technological risk or impact on employee productivity.

Decision Considerations
While VPNs offer extensive data security, the network implications and additional risks introduced with split-tunneling cannot be overlooked. When creating a remote work policy, organizations must consider what they want to do in relation to split-tunneling. Unintended consequences exist in technology deployment.

Businesses need to understand the architectural decisions that go into implementation considerations and clearly understand the impact of those outcomes. One size does not fit all, and architects and engineers need to understand business needs before making technical decisions. Deploying a split-tunneling VPN provides organization wide benefits; however, the ultimate question to ask, do those benefits outweigh the newly introduced risks?

The comments and statements in this article are my own and don't necessarily represent IBM's positions, strategies or opinions.

What’s Hot on Infosecurity Magazine?