Making Sense of Split Tunneling: Part 2

By Patrick Oliver Graf, General Manager of Americas, NCP engineering

Last week, we provided an overview of split and full tunnel configurations. Here, we delve a bit deeper to explore the security benefits of this technology.

Split tunneling has a variety of advantages:

• It only transmits data that actually requires the protection of a VPN. This leads to smaller workloads for VPN clients, server and gateways.
• It enables strict separation of corporate Internet traffic and private Internet use.
• It conserves bandwidth within the VPN connection since it does not have to transmit private data.

Despite these gains, many IT administrators still have reservations about split tunneling. Most notably, some believe split tunneling is a security risk because some data traffic is separated from the secure VPN tunnel and is not directed through the secure gateway. Others criticize the split tunneling concept as being too complicated and requiring specialized VPN clients. These concerns are further fueled by fears that an attacker might somehow be able to use the private Internet connection to gain access to the corporate network, which the user accesses through the VPN.

However, none of these points are logical. Firstly, in order to route a private Internet connection into a VPN, the client has to have the bridging mode activated. This is not a default setting. Moreover, an administrator can use a group policy to deactivate the bridging feature and prevent the user from activating it.

Additionally, the concern of infecting a corporate network with malware through a private connection is only partially valid. On the one hand, almost every company uses antivirus software to eliminate malware before it even enters the company’s intranet. Furthermore, there are other sources of viruses and Trojans beyond the Internet—for example, USB drives and DVDs can also infect a user’s PC. From this point of view, the raised risk of infection through split tunneling is hardly significant.

Split tunneling does not make a company network unmanageable, but it’s important to note that its manageability depends on the quality of the implemented VPN components. For example, VPN gateways and clients like the NCP Secure VPN Client, support full tunneling and split tunneling. This solution requires minimal configuration effort, and it supports various platforms including Windows 8, Linux, Mac, and Android.

The bottom line is that split tunneling should not be considered a security risk. However, client systems that use this technology should always be up-to-date. For example, security patches have to be installed promptly; personal firewall and antivirus engines have to be activated and updated on a regular basis; and potentially risky features, like bridging, have to be deactivated permanently.

Full tunneling is the better alternative for companies and authorities with extremely high security requirements. However, they have to accept the increased effort that comes with full tunneling and implement more powerful VPN systems and “big pipes” for VPN data traffic. Alternatively, it’s no longer appropriate to prohibit private use of the company computer in order to keep the data volume within limits. Ultimately, it comes down to efficiency. After all, it doesn’t take scores of data to know that companies that restrict employee access to corporate information also limit overall productivity.

Making Sense of Split Tunneling: Part 1

By Patrick Oliver Graf, General Manager of Americas, NCP engineering

Split tunneling is not a new concept in the realm of remote access networking. The technology emerged in the 1990s to allow VPN users to access a public network and a LAN or WAN simultaneously. But despite this longevity, its merits and security continue to be disputed. So what is the reality, should split tunneling be allowed? Or should IT administrators steer clear?

First, let’s take a closer look into how split tunneling works. In VPNs, there are basically two types of virtual tunnels that enable secure data transmission: full tunnels and split tunnels. In full tunnel mode, a remote corporate user establishes an Internet connection from a client PC, which then runs through the VPN. This naturally includes the user’s private data traffic. As a result, every time the user scans the web, be it for shopping on eBay, checking personal email, or accessing the company CRM, it is done through the company VPN gateway.

In certain cases, a full tunnel configuration is necessary. For example, companies that frequently and closely cooperate with their partners to allow employee access to IT systems within their own networks should take a full tunnel approach. This, for example, enables employees and partners to access order lists or product data. In this scenario, however, a remote user only receives access to the partner’s server through the corporate VPN gateway and cannot access them through other connections.

The other virtual tunnel configuration, split tunnels, only transmits data through the VPN tunnel from a website or from another IT service within the corporate network. For all other connections, such as Facebook or web mail, the client PC directly accesses the providers’ servers. Downloads from external websites are not directed through the corporate network and the VPN.

Now that you have an overview of split and full tunnel configurations, it’s time to take a closer look at their application. Tune in next time to learn the advantages of split tunneling and when full tunneling might be a better alternative.

Q&A with Swen Baumann, product manager at NCP engineering

We recently spoke to NCP engineering’s Swen Baumann about split tunneling and its role in IPv6, and how to best deploy it when working remotely. 

VPN Haus: How is split tunneling impacted by IPv6 dual-stack networking?

Swen: The main thing to remember is, split tunneling needs to be specifically configured. For instance, in a “dual-stacked” world – which implements both IPv4 and IPv6 stacks — you will have to configure either both or just only one, depending on which stacks you plan to use. Once you’ve completed this configuration, split tunneling will be processed — no matter if the traffic is IPv4 or IPv6. Simply put, to enable split tunneling on IPv6, you only need to configure the stack – but otherwise it should run smoothly.

VPN Haus: How does split tunneling differ from inverse split tunneling?

Swen: I know it’s stating the obvious, but it’s inverse. Here’s what that means. With conventional split tunneling you configure some networks that are to be processed within the tunnel, which means there are others not be taken into the tunnel. With inverse split tunneling it is just the other way round. You configure those networks that are not be processed through the tunnel and all the rest will be taken into the tunnel. In other words, split tunneling becomes the rule — not the exception.

VPN Haus: In cases of split tunneling for the home office, do you recommend the corporate VPN be set as the default gateway to first route all traffic, dropping those requests deemed unnecessary to secure?

Swen: Usually yes. But ultimately, it depends on the security policies of the company. Generally, the recommended approach is to direct all of the traffic into the corporate tunnel, so that all of the company’s security protocols can apply to the traffic and fulfill the organization’s security needs.

Don’t Worry, IPv6 Won’t Break Your Existing IPsec VPN, Part 2

Editor’s Note: For part one, click here.

By Daniel P. Dern

So, how does a company add IPv6 support? “Your operating systems have to be IPv6-ready,” said Rainer Enders, CTO, Americas, for NCP engineering. “Your network providers have to support IPv6, in a secure way. Check whether they support native IPv6 end-to-end, for a full backbone if possible, as opposed to ‘split tunneling’ – we feel the latter is not a good idea and have concerns about that approach. Some ISPs are already rolling out pure native IPv6, especially for business-class service, and some will soon also be doing this on the consumer side.”

Split tunneling is when a VPN user is accessing a public network and a LAN or WAN, using the same network connection.  The public network, however, can pose a threat to the LAN or WAN, if it becomes vulnerable.

If IPv6 isn’t available end-to-end within your enterprise, “We recommend staying with IPv4 for now,” says Enders. “This is some of why IPv6 is slow to roll out. And you have to make sure all the relevant components are fully IPv6-compliant.”

Meanwhile, advises Enders, “If I were shopping for an IPsec or VPN technology, I would look for a vendor that offers a true dual-stack implementation of IPv6 and IPv4, so you are future-proofed. And the same applies when you have a refresh cycle — make sure you are getting true native support for IPv6.”

This provisioning includes any broadband gateways that home or remote users are getting, and also desktop operating systems. (Note: Both Windows 7 and MacOS include IPv6 support — however, this does not equate to guaranteeing that applications will work with IPv6.)

Steven J. Vaughan-Nichols, editor-in-chief of Practical Technology and independent contributor to publications including IEEE Spectrum and ZDnet, says, “IPv6 will make IPsec more popular than ever. After all, IPsec runs on IPv6. So, if you’re using IPsec-based VPNs today, one worry you’re not going to have about migrating to IPv6 is replacing or tuning IPsec. It’s already baked in.”

Daniel P. Dern is a freelance technology writer based in Newton Center, MA.  You can read more of his work at his website or technology blog.