VPN experts downplay 'splitting' headache

Most say split tunneling does not necessarily undermine security.

At a time when protecting corporate networks is paramount, many users are steering clear of a feature of IP Security VPNs called split tunneling, a move that can give a false sense that remote-access networks are more secure than they really are, experts say.

At a time when protecting corporate networks is paramount, many users are steering clear of a feature of IP Security VPNs  called split tunneling, a move that can give a false sense that remote-access networks are more secure than they really are, experts say.

Split tunneling was created to allow Web surfing and corporate VPN access simultaneously from remote PCs. The benefit of split tunneling is that corporations can conserve bandwidth needed for Internet access at VPN hub sites and reduce the load on VPN gateways.

But with this feature, if a remote PC is connected directly to the Web and at the same time tied into the VPN, attackers coming on from the Web could commandeer the PC and gain access to the corporate network.

"Vulnerabilities with the [PC's operating system] and the applications running on the client might expose the VPN, since the client machine is essentially acting as a type of router," says Kurtis Lawson, a network engineer with NetCare Services, a network consultancy.

While this could happen, it is unlikely, experts say.

"The security threats are theoretically possible, but you should spend your time worrying about other things," says Paul Hoffman, executive director of the VPN Consortium, a group of VPN vendors working toward interoperability.

"Users need to make sure they don't rely on split tunneling to do more than it can provide," says Wray West, former CTO of VPN vendor Indus River, now part of Enterasys.

"It's one of the challenges of security. People are desperate to get a handle on it and can oversimplify it," he says. "Blocking split tunneling is a little safer than not blocking it, but not hugely safer."

Shut off split tunneling

Shutting off split tunneling isn't a cure-all to fend off attacks, because the integrity of the remote PC doesn't have to be compromised while it is connected to the VPN to cause damage. It can just as easily be compromised while the user is Web surfing with the VPN tunnel turned off, then do damage the next time the VPN is turned on. Viruses or back doors downloaded while surfing would threaten the VPN, West says.

Using personal firewalls on all the remote PCs would mitigate the threat of them being compromised, but properly installing, configuring and updating them would create more work. And remote users could disconnect them to free up processing power to improve Internet response time. Some VPN vendors, including Check Point, Cisco and NetScreen Technologies, are trying to combat this via optional policy servers that run configuration checks before remote PCs can log on.

The best way to rule out Web-borne attacks is to prevent all PC Internet use except to connect to the VPN, and that is just what a major Pennsylvania food manufacturer is doing, says the company's network architect. While he could not allow use of his company's name, he says company-issued PCs are locked down by the IT staff before they are handed out so users cannot surf.

If split tunneling is denied, remote users still can surf the Web, but only through the VPN. In the absence of split tunneling, Web browsing is funneled over the VPN to the central VPN gateway, tying up gateway processor time and eating up bandwidth on that site's Internet link. Then the traffic is routed back onto the Internet over the same link, eating bandwidth a second time.

Running Web traffic through the VPN subjects the traffic to screening by the corporate firewall and, for those who want it, to centralized content filtering to keep users away from restricted sites. Traffic coming through one router is easier to log.

But users also should be prepared to take the predictable hit on Internet bandwidth consumption when they turn off split tunneling, Hoffman says. If bandwidth and the load on the VPN gateway are not issues, then denying split tunneling will do no harm, he says.

For those who decide to allow it, experts recommend these precautions as a way to minimize risk:

  • Require use of a personal firewall on remote PCs.
  • Make sure PC operating systems and applications have updated security patches.
  • Require use of virus-scanning software and update it religiously.
  • Use a policy server that denies VPN access unless the remote machine has proper security installed and turned on.

Learn more about this topic

The benefits of split tunnels

Network World on VPNs.
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.