Whenever a company wants to set up a VPN for its remote users, one of the major decision points that always comes up is whether or not to support split tunneling. Let’s define split tunneling and some related terms.
Try premium business software for FREE for 30 days!
The most essential tool for sysadmins:
- Automate multiple OS patching
- Scan for vulnerabilities
- Audit hardware and software
- Run compliance reports
Discover, manage and secure your network
- Monitor & control web activity
- Manage bandwidth & internet usage
- Secure downloads & web browsing
- Control of applications & stronger policy
In the context of a VPN connection, split tunneling refers to the practice of routing only some traffic over the VPN, while letting other traffic directly access the Internet. Usually, what is routed over the VPN will be traffic destined for internal resources, while web surfing, email, etc. will go directly to the Internet. The VPN client is configured to route interesting traffic through the tunnel, while using the default gateway of the physical address for everything else.
Inverse split tunneling
In inverse split tunneling, once the VPN connection is established, all traffic is routed through the VPN except specific traffic that is routed to the default gateway. This interesting traffic can be defined by IP address, or specific protocols can be defined higher up in the stack.
The traffic that should either be routed through the VPN, or with inverse split tunneling the traffic that should not be, is called interesting traffic. It is usually defined by IP address or range, and can include many network addresses. It can also be defined by port at layer 4, or application protocol at layer 7 in some VPN solutions.
There are three different parties involved in this decision, but only two of them get a vote.
The security team usually will want all traffic tunneled, both so that they can protect, and also inspect, everything that a user is doing.
The network team will want to tunnel only the traffic that is destined for internal resources, in order to preserve the bandwidth on the Internet connection and reduce the load on the VPN concentrator.
The users want the best experience possible, and don’t want anyone snooping on their web browsing habits. As you’d expect, they are the ones that don’t get a vote.
Which way should you go? As with all questions in IT, the answer is of course “it depends.”
If you are going to split tunnel, then you are going to reduce the overall bandwidth impact on your Internet circuit. Only the traffic that needs to come over the VPN will, so anything a user is doing that is not “work related” will not consume bandwidth. In addition, anything external to your network that is also latency sensitive will not suffer from the additional latency introduced by tunneling everything over the VPN to the corporate network, then back out to the Internet, and the return traffic routing over the reverse. Users will get the best experience in terms of network performance, and the company will consume the least bandwidth.
If security is supposed to monitor all network traffic, or perhaps merely protect users from malware and other Internet threats by filtering traffic, users who are split tunneling will not get this protection and security will be unable to monitor traffic for threats or inappropriate activity. Users on open networks such as hotel wireless or hotspots will also be transmitting much of their traffic in the clear. Traffic to websites that use HTTPS will still be protected, but other traffic will be vulnerable to snooping.
My recommendation is that if you have the bandwidth, don’t split tunnel Internet traffic. That way, your remote users’ web browsing will be protected by the encryption of the VPN even when they are on an open Wi-Fi network, such as at a hotel or coffee shop. I’d rather they deal with a little additional latency in exchange for better security. That said, real-time streams like IP audio and video will suffer. If your VPN solution lets you define both traffic to tunnel and traffic not to tunnel or can use inverse split tunneling, let your audio and video go direct if the server is not on your internal network. It should already be encrypted, and with those applications, a little additional latency could make the difference between functional and broken.
Split tunneling is not just a security concern. A company with a large remote workforce can consume significant amounts of bandwidth if they do not split tunnel. Weigh the security implications against both performance and costs, and make the best decision for your company. Don’t be afraid to revisit that decision down the road if situations change or performance warrants it.