Ask the Expert

The detection and prevention of split tunneling

How can I detect and prevent split tunneling on my wireless network?

    Requires Free Membership to View

There is no way to detect this, as far as I know. Perhaps you could routinely ping a known Internet address using source routing through your client, but I doubt even that would work. The key is prevention and the only way to do that is through configuration control. All remote clients must have the same configuration as any client that is directly connected, with the exception for the VPN software, of course. In all cases, users should not have administrator or root access to the client machine and should not be given the privilege of installing software or changing software configurations. Anything short of that, and you will not be able to prevent split tunneling.

Many corporations do not allow VPN access at all for the reasons that have been discussed. To access corporate resources, they will instead provide an SSL-protected Web portal for employees to access their e-mail or other resources. They still need to authenticate to the system, but the authentication is protected by the SSL encryption. This solution can provide remote employees with basic capabilities, but is not the same as what they would have directly connected.

Other solutions that are used are things like PCAnywhere, GoToMyPC and others. All of these have security problems similar to VPN, and in some cases more, as they rely on a third-party being trusted. I don't recommend those solutions, either.

As always though, remember that there needs to be a balance between usability and security. Only a risk assessment can analyze those trade-offs and help you decide what level of risk is acceptable.


For more information on this topic, visit these other SearchSecurity.com resources:
  • Ask the Expert: Best practices for securing remote-access solutions
  • Ask the Expert: VPNs and split tunneling
  • Ask the Expert: Disabling split tunneling for secure remote access


    This was first published in February 2003

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: