Split tunneling in a VPN environment & the security of 3DES encryption

Split tunneling in a VPN environment & the security of 3DES encryption

What are the security pros/cons of using split tunneling in a virtual private network (VPN) environment? Is there a particular tunneling protocol (IPSEC, L2TP, etc.) that provides better security than others? How secure is 3DES encryption with today's technology? Does the government use it?


    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Split tunneling is when a VPN client can connect to both secure sites(via VPN) and non-secure sites, without having to connect or disconnect your VPN connection. The client can determine whether to send the information over the encrypted path, or to send it via the non-encrypted path. The pro for split tunneling is ease of use. The main con is that you now could have a direct connection from the non-secure Internet to your VPN-secured network, via the client. This is a classic case of usability vs. security, and whether split tunneling is an acceptable risk is something that would need to be decided on a case-by-case basis.

It is not just the protocol that determines the security. The choice of the underlying cryptographic algorithm, the key management scheme and user authentication, all play important parts in determining the security of the application. Both IPSEC and L2TP can be implemented securely.

The security of 3DES encryption with today's technology depends on the sensitivity of the information you are trying to protect. Clearly as technology progresses, encryption algorithms need to be stronger. That is one reason why the National Institute of Standards and Technology (NIST) is in the process of creating the new Advanced Encryption Standard (AES). The Rijndael algorithm was selected for the AES, and a draft FIPS standard is now in its public comment phase.

Yes, the government does use 3DES. For many U.S. Government applications, 3DES is not only the algorithm of choice, it is mandated by agency regulations. It is used for data that is Sensitive But Unclassified (SBU). I don't know of any cases where it is used for classified data, but if 3DES is used for classified data, I'm probably not supposed to know. :)


This was first published in April 2001