Home > Ask the Security Experts > Questions & Answers > VPNs and split tunneling
Ask The Security Expert: Questions & Answers
EMAIL THIS

VPNs and split tunneling

Stephen Mencik EXPERT RESPONSE FROM: Stephen Mencik

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site
>
QUESTION POSED ON: 14 February 2003

I just read your entry where you can't emphasis enough the dangers of split tunneling. Since I asked my last question on this issue, I've done a little bit more reading.

Basically, if a device ever connects to the Internet in an uncontrolled fashion, it can be compromised and that compromise can be exploited when that machine starts up its VPN connection. The results of the exploit sent back the hacker when the VPN shuts down. In fact, it can probably be sent out through the corporate proxy firewall. Therefore, all VPNs are a bad idea, not just the ones with split tunneling.

Further, the VPN vendor software can have complete control over the network interfaces on the remote machine (e.g. it can shut them down to disable split tunneling). Therefore, it should be able to prevent traffic coming in from one interface being routed down the virtual interface of the VPN. Along with the prevention of IP address spoofing for the local IP addresses, this can effectively disable the exploitation of an "active" split-tunnelled connection. I don't know if any of the software available attempts to do this, but all the information is available to it. This still doesn't solve the fact that a compromised machine is a compromised machine and once compromised, connecting it a corporate network is dangerous.

>

You raise some very valid points, but I would not go so far as saying all VPNs are a bad idea.

The preferred configuration for a remote computer connecting to the corporate network via VPN is the following:

  1. Remote computer is configured the same as directly connected computers. That is, it has all the same security settings, antivirus protection, etc.
  2. The only connections the remote computer makes to the Internet are made via the VPN tunnel to the corporate network and then back out through the corporate firewall just like a directly-connected computer.

If configured this way, the VPN is nothing more than a very long extension cord of ethernet connecting to the remote location. This is then no more or no less secure than a directly-connected computer. If the remote computer is allowed to connect to the Internet via other means, whether at the same time as the VPN tunnel or a different time, then the concerns you mention are very real. If the security configuration of the remote computer can be changed by the remote user, as opposed to the corporate network system administrators, then you have a problem as well.

VPNs are NOT the security solution for every problem. However, they can be used to provide secure access to a corporate network in controlled situations. Like virtually every other security product, a careful analysis of the big picture is necessary to determine what the risks are and if the appropriate security measures have been taken to mitigate those risks.

For more information on this topic, visit these other SearchSecurity.com resources:
  • Ask the Expert: The threat of split tunneling with PPTP
  • Ask the Expert: Split tunneling in a VPN environment
  • Ask the Expert: Evidence of the risk of split tunneling

    		•

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts