Ask the Expert

Disabling split tunneling for secure remote access

My company is about to disable split tunneling for our VPN on the grounds of security. However, consider the following...

My home PC connects to the Net via cable modem, and I download some Active X Trojan. Later, I connect to the VPN. The Trojan can easily detect this and do whatever it wants to my corporate network. When I shutdown the VPN, the Trojan can send stuff back to to its home on the Internet. What am I missing? Why does it matter if the harm is caused in the time it takes to traverse my network or the time between enabling and disabling the VPN? To me it seems like disabling split tunneling is another thing the security vendors can do and hype, so the consumers just do it and blindly think they are now immune.


    Requires Free Membership to View

In one sense you are absolutely correct. Your scenario could indeed happen that way. That is why any corporation that wants to allow remote access and do it securely needs to have control of the configuration of the remote computers. That means they need to supply the machines and configure them properly. The end users should not be allowed to download and install any software. When they connect to the Net, the only thing they should be able to do is start their VPN software and connect to the corporate network. If they need to browse the Internet, their browsing should go through the VPN and back out the corporate firewall.

If the corporation allows users to supply the computers and have administrative access, it doesn't matter whether the corporation disables split tunneling anyway. If you have administrative access, you can re-enable it in most cases.

So, what you are missing is that to allow secure remote access to a corporate network, the corporation must have control of the remote machines just as if they were directly connected to the corporate network. The VPN is just a long extension cord to the corporate network. If you lose control of what machines connect to the network or who can load software on those machines, then you no longer can count on your security policies to be enforced they way that you set them up.


For more information on this topic, visit these other SearchSecurity.com resources:
  • Ask the Expert: VPNs and split tunneling
  • Ask the Expert: Split tunneling in a VPN environment
  • Ask the Expert: Evidence of the risk of split tunneling


    This was first published in February 2003

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: