Problem solve Get help with specific problems with your technologies, process and projects.

Split tunneling in a VPN environment & the security of 3DES encryption

What are the security pros/cons of using split tunneling in a virtual private network (VPN) environment? Is there a particular tunneling protocol (IPSEC, L2TP, etc.) that provides better security than others? How secure is 3DES encryption with today's technology? Does the government use it?

Split tunneling is when a VPN client can connect to both secure sites(via VPN) and non-secure sites, without having to connect or disconnect your VPN connection. The client can determine whether to send the information over the encrypted path, or to send it via the non-encrypted path. The pro for split tunneling is ease of use. The main con is that you now could have a direct connection from the non-secure Internet to your VPN-secured network, via the client. This is a classic case of usability vs. security, and whether split tunneling is an acceptable risk is something that would need to be decided on a case-by-case basis.

It is not just the protocol that determines the security. The choice of the underlying cryptographic algorithm, the key management scheme and user authentication, all play important parts in determining the security of the application. Both IPSEC and L2TP can be implemented securely.

The security of 3DES encryption with today's technology depends on the sensitivity of the information you are trying to protect. Clearly as technology progresses, encryption algorithms need to be stronger. That is one reason why the National Institute of Standards and Technology (NIST) is in the process of creating the new Advanced Encryption Standard (AES). The Rijndael algorithm was selected for the AES, and a draft FIPS standard is now in its public comment phase.

Yes, the government does use 3DES. For many U.S. Government applications, 3DES is not only the algorithm of choice, it is mandated by agency regulations. It is used for data that is Sensitive But Unclassified (SBU). I don't know of any cases where it is used for classified data, but if 3DES is used for classified data, I'm probably not supposed to know. :)

This was last published in April 2001

Dig Deeper on VPN security