Today’s modern networks require flexibility to allow workers to work from multiple locations. One of the most common methods to achieve remote network access is a Virtual Private Network (VPN). VPN’s can come in all shapes and sizes, from hosted to on-premises, to in the cloud, and can be built to fit all needs. However, one topic that is often overlooked is whether or not to allow VPN users to utilize split tunneling. Webopedia defines split tunneling as “The process of allowing a remote VPN user to access a public network, most commonly the Internet, at the same time that the user is allowed to access resources on the VPN.” The idea is a user has a tunnel to the corporate network to access any apps or shared drives through the VPN connection while still utilizing the local internet connection of the remote user for access to the web or local resources.
In terms of security, by enabling split tunneling you now have an open connection to your network which can send/receive traffic which does not pass through your organization’s perimeter security devices such as a firewall, IPS or IDS. This creates a situation where your organization cannot monitor web traffic on the remote device through the VPN connection.
Utilizing a split tunnel can also increase the possibility of data exfiltration out of the organization. If any controls are in place to prevent copy and pasting of data, these controls may now be ineffective because traffic is being sent outside of the organization’s Data Loss Prevention system (DLP). While it is certainly possible for this to occur with a full VPN tunnel, the task of preventing that data loss becomes much more difficult with a split VPN tunnel.
Another potential loss of security could be a result of the remote VPN user utilizing a public Internet connection. That user’s web traffic would not be encrypted by a VPN tunnel. As a result, any data not sent over the VPN can be susceptible to snooping if an unsecured protocol is used.
How to Mitigate the Risk of Split Tunneling
Protections to mitigate the risk of split tunneling should include first and foremost a valid BAA, which requires the third parties to verify the remote workstations are protected. For internal employees and contractors, the Acceptable Use Policy (AUP) should be signed and must outline the acceptable use of equipment. Secondly, employers should provide training to demonstrate the acceptable and non-acceptable uses of the device.
As far as the technical controls, a VPN agent, which can perform a health check and verify the device is compliant, should be implemented. This health check should verify that the operating system patches are installed, an anti-virus is installed, running and is updating regularly. Additionally, it is common practice to place a firewall in front of the VPN traffic however this firewall is generally not as robust as the perimeter firewall. A VPN firewall is the only protection for your network against malicious traffic traversing that VPN tunnel. If the proper configuration of the VPN firewall is in place it will protect your network against any malicious VPN traffic but it is a single layer of defense. As IT security is becoming more prominent it is common practice to implement multiple layers of defense in place to prevent a breach of data.
One of the most effective protections an organization can implement is strong network segmentation. Remote users should be limited to only access the systems that are required to perform their job functions. Restrictions should be in place to segment your network to prevent unlimited network access for remote users. It is all too common that our security professionals see remote-access VPNs that allow for complete unrestricted network access. Segmenting VPN connections to access only the required systems is paramount in creating a strong security posture. A strong network-wide segmentation practice can be the deciding factor in whether a company will experience a minor breach or a massive breach.
Split tunneling has its benefits. A split tunnel VPN will provide the remote user the fastest web browsing speed as now they can utilize the ISP they’re connected too instead of sending that traffic back through the business’s network. From a network standpoint, it will decrease the bandwidth in use for the VPN traffic as now only business functions will be sent over the VPN and other traffic will flow directly through the remote users’ ISP connection. And remote workers can print to their local network printer while connected to the VPN — a minor issue but one we ofter hear about.
Is Split Tunneling Compatible with the HITRUST Framework?
As HITRUST Assessors, we are often asked if split tunneling is allowed for remote VPN connections. HITRUST itself does have a specific requirement prohibiting split-tunnel VPNs (Domain 8 requirement – Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources). But this is not common in the Cyber Security Framework 9.2 and is only applicable to larger organizations.
So the decision to allow a split-tunnel VPN will boil down to a few things. One is there a legal or compliance requirement that must be satisfied? Two does the reward of split tunnel VPNs outweigh the risk? And third, how much do you trust the employees, contractors or vendors who may be utilizing that split-tunnel VPN? Once an organization answers these three questions they can make a determination if a split-tunnel VPN works for their organization.
By Josh Perri, Intraprise Health Information Security Consultant