VPN experts downplay 'splitting' headache

Most say split tunneling does not necessarily undermine security.

At a time when protecting corporate networks is paramount, many users are steering clear of a feature of IP Security VPNs  called split tunneling, a move that can give a false sense that remote-access networks are more secure than they really are, experts say.

Split tunneling was created to allow Web surfing and corporate VPN access simultaneously from remote PCs. The benefit of split tunneling is that corporations can conserve bandwidth needed for Internet access at VPN hub sites and reduce the load on VPN gateways.

But with this feature, if a remote PC is connected directly to the Web and at the same time tied into the VPN, attackers coming on from the Web could commandeer the PC and gain access to the corporate network.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

At a time when protecting corporate networks is paramount, many users are steering clear of a feature of IP Security VPNs  called split tunneling, a move that can give a false sense that remote-access networks are more secure than they really are, experts say.

Split tunneling was created to allow Web surfing and corporate VPN access simultaneously from remote PCs. The benefit of split tunneling is that corporations can conserve bandwidth needed for Internet access at VPN hub sites and reduce the load on VPN gateways.

But with this feature, if a remote PC is connected directly to the Web and at the same time tied into the VPN, attackers coming on from the Web could commandeer the PC and gain access to the corporate network.

"Vulnerabilities with the [PC's operating system] and the applications running on the client might expose the VPN, since the client machine is essentially acting as a type of router," says Kurtis Lawson, a network engineer with NetCare Services, a network consultancy.

While this could happen, it is unlikely, experts say.

"The security threats are theoretically possible, but you should spend your time worrying about other things," says Paul Hoffman, executive director of the VPN Consortium, a group of VPN vendors working toward interoperability.

"Users need to make sure they don't rely on split tunneling to do more than it can provide," says Wray West, former CTO of VPN vendor Indus River, now part of Enterasys.

"It's one of the challenges of security. People are desperate to get a handle on it and can oversimplify it," he says. "Blocking split tunneling is a little safer than not blocking it, but not hugely safer."

Shut off split tunneling

Shutting off split tunneling isn't a cure-all to fend off attacks, because the integrity of the remote PC doesn't have to be compromised while it is connected to the VPN to cause damage. It can just as easily be compromised while the user is Web surfing with the VPN tunnel turned off, then do damage the next time the VPN is turned on. Viruses or back doors downloaded while surfing would threaten the VPN, West says.

Using personal firewalls on all the remote PCs would mitigate the threat of them being compromised, but properly installing, configuring and updating them would create more work. And remote users could disconnect them to free up processing power to improve Internet response time. Some VPN vendors, including Check Point, Cisco and NetScreen Technologies, are trying to combat this via optional policy servers that run configuration checks before remote PCs can log on.

The best way to rule out Web-borne attacks is to prevent all PC Internet use except to connect to the VPN, and that is just what a major Pennsylvania food manufacturer is doing, says the company's network architect. While he could not allow use of his company's name, he says company-issued PCs are locked down by the IT staff before they are handed out so users cannot surf.

If split tunneling is denied, remote users still can surf the Web, but only through the VPN. In the absence of split tunneling, Web browsing is funneled over the VPN to the central VPN gateway, tying up gateway processor time and eating up bandwidth on that site's Internet link. Then the traffic is routed back onto the Internet over the same link, eating bandwidth a second time.