Hi,
In the case when connecting to a corporate network with a work laptop for example I would go with Full Tunnel / Tunnel All instead of Split tunneling.
When you use Full Tunnel / Tunnel All
- You can possibly take advantage of all the protection the corporate network provides before you connections even enter the public network.
- I'd personally avoid using a work laptop outside corporate network unless there is a way to tunnel all traffic through the central site.
- You can control all the traffic coming from the user to anywhere in the network depending on how the network is set up
With Split Tunneling you will still have the ability to control the traffic thats entering the corporate network through the VPN but some (or maybe even most) of the traffic will totally pass all the security you might have in place normally for the user when he/she is directly connected to the corporate network.
Naturally in addition to whatever VPN implementation you go with you should take care of the security of the actual computer since without it the other parts of the security might be made useless.
Also can't forget the fact that the user has to be able to use the computer in a way that he/she doesnt make it possible for the computer to get infected by some action of his/her own. I'd imagine wether you are using Full Tunnel or Split tunnel, if the security of the actual computer and "know how" of the user aren't on a high enough level, you could still end up with the same negative result.
Though I have no doubt that in most cases the deciding factor (for a customer) when deciding between Split Tunnel and Full Tunnel is which is more convinient to the user. Sometimes you just need to exempt some of the traffic from the tunnel. And I have no doubt also that at some point those same computers wont be protected by any form of firewall.
- Jouni
