We would like to deploy applications to home users through Citrix Secure Gateway or some sort of hardened SSL appliance (Neoteris, Whale Communication). Our information security group insists that we still install a VPN client on the home PCs. Our goal is to deploy no software, just allow those users access through a browser to some of our productivity applications such as e-mail, Office, etc. The reason that they insist on a VPN client is due to split tunneling. Is this really a security issue (low risk) with this type of configuration, or is there a high risk of compromising our internal network?
First, let's define split tunneling, at least as it is used in this context. Split tunneling means that the remote user can be connected to the internal corporate network and also be connected to the Internet at the same time. The tunnel is said to be "split," because there are two parts.
Typically, this is only a problem when you have a VPN installed, as there is no "tunnel" without the VPN. If all you are doing is providing a Web interface to various applications, SSL by itself is generally considered okay. However, there are other reasons why your security group would be concerned.
The issues that your security group are concerned about are: 1) The user's home PC configuration is not under the control of the corporate IT staff; 2) When connected to the Internet from home, the user is not behind the corporate firewall and any other security protection on the network; 3) Any security problems that occur on the home computer could possibly work their way to the corporate network.
As a result of these concerns, there are typically only two methods for remote access that most companies consider secure. The first is that remote users only access the corporate network using corporately-provided computers (typically laptops) that have been configured and locked down by the corporate staff. They access the corporate network via VPN, and that VPN cannot allow split tunneling. If they wish to access the Internet, they must connect to the corporate network via the VPN, and they have their connection go back out through the company firewall and/or gateway.
The second method is to restrict access as you have described. Use SSL-enabled Web pages with authentication of your remote users. Even if all you use is username and password, at least they are protected by the SSL encryption. However, using certificates for authentication while still using SSL would be better. The reason that the Web interface is okay is that there is not a persistent connection like there would be with a VPN or telnet. It is simply a series of client requests and server responses. The SSL protects the confidentiality of the requests, and it is up to the server to ensure there aren't any holes in the interface that would cause problems.
For more info on this topic, visit these SearchSecurity.com resources:
This was first published in July 2004