How do split tunnelling in VPNs work?

grapevine · ‎02-02-2014

Jouni Forss · ‎02-02-2014

Hi,

I am not sure what kind of information you are specifically looking for?

Split Tunnel VPN essentially works so that you specify the networks for which traffic is forwarded through the VPN connection. All other traffic will ignore your current VPN Client connection and go out through the local network connections.

On the VPN device the Split Tunnel VPN is configured by configuring an ACL/access-list that tells the VPN device the networks towards which traffic should be forwarded through the VPN connection. The Split Tunnel ACL is attached to the "group-policy" that the users "tunnel-group" uses.

- Jouni

James Leinweber · ‎02-04-2014

The most visible issue is where the client's default gateway goes. In a full tunnel, it moves to the far side of the tunnel. In the split tunnel, it stays local. The security risk of split tunneling is that the client is providing a bridging path for outside malicious traffic to leak across the tunnel, with no influence from the far end's firewall and IDS. The performance risk of full tunnels is that 3rd party outside traffic not terminating at the organization on the far side still has to take the tunnel, which can add latency, limit throughput, or increase packet loss. The best designs require balancing the network layout, uplink sizing, and security posture in concert.

-- Jim Leinweber, WI State Lab of Hygiene