My home PC connects to the Net via cable modem, and I download some Active X Trojan. Later, I connect to the VPN. The Trojan can easily detect this and do whatever it wants to my corporate network. When I shutdown the VPN, the Trojan can send stuff back to to its home on the Internet. What am I missing? Why does it matter if the harm is caused in the time it takes to traverse my network or the time between enabling and disabling the VPN? To me it seems like disabling split tunneling is another thing the security vendors can do and hype, so the consumers just do it and blindly think they are now immune.
In one sense you are absolutely correct. Your scenario could indeed happen that way. That is why any corporation that wants to allow remote access and do it securely needs to have control of the configuration of the remote computers. That means they need to supply the machines and configure them properly. The end users should not be allowed to download and install any software. When they connect to the Net, the only thing they should be able to do is start their VPN software and connect to the corporate network. If they need to browse the Internet, their browsing should go through the VPN and back out the corporate firewall.
If the corporation allows users to supply the computers and have administrative access, it doesn't matter whether the corporation disables split tunneling anyway. If you have administrative access, you can re-enable it in most cases.
So, what you are missing is that to allow secure remote access to a corporate network, the corporation must have control of the remote machines just as if they were directly connected to the corporate network. The VPN is just a long extension cord to the corporate network. If you lose control of what machines connect to the network or who can load software on those machines, then you no longer can count on your security policies to be enforced they way that you set them up.
For more information on this topic, visit these other SearchSecurity.com resources:
This was first published in February 2003