I am in the process of setting up our first iPhone with via access to our corporate network via the Anyconnect client and our ASA. It's going pretty well, I just have a "best practice" question about split tunnelling.
This is my understanding of split tunelling... By default, split tunneling is disabled. This forces the vpn client to route all network/internet traffic through the VPN. However, we have an option of enabling split tunnelling and allowing the cilent to route some traffic through the vpn and some directly, unencrypted through the local network.
My understanding is that this is basicly a trade off between performance and security. The more secure method routes everything through the VPN. Given that the corporate network is going to have a stronger firewall than the endpoint, this is going to eliminate the chance of opening up a "backdoor" to the network through the endpoint. On the other hand, now all internet traffic (and that which is not intended for the corporate network) now has to go through the corporate network first, creating delay. So, this creates a performance degradation.
This is basicly my understanding of the split tunnel question, that it's basicly a performance vs security question to determine if it should be allowed.
At any rate, these are my questions....
1). Is there something that I am missing here? Is there also a feasibility question. I usually disable split tunneling, so I am wondering if there might be some things that don't work if I enabled it.
2). Is there anything about the anyconnect client and/or iOS that makes it more secure and therefor would make it more secure to allow split tunneling?
3). With split tunneling disabled, the routing is fairly straight forward. However, it seems like, once enabling split tunneling, you the routing on the anyconnect client becomes much more disabled. Does the ASA provide it's whoel routing table to the client, or just directly connected networks?
Any ideas or suggestions would be great.
1) You are spot on with the difference between split tunnel and no split tunnel. Typically when split tunnel is disabled, all traffic is being routed back to your organization gateway. The reason why you would disable split tunnel is if you have internal proxy server, IPS, etc that would provide extra protection for those internet traffic to be routed back towards your organization network. If you are just routing the internet traffic towards the ASA but route it straight back to the Internet, then there isn't much point to disable split tunnel. Most people just enable split tunnel in this scenario.
2) AnyConnect functionality is to encrypt traffic to and from your organization. If the host itself is infected by virus/malware through other means, then whether you are performing split tunnel or no split tunnel, those virus/malware can still flow through the organization network once it is either in the network or VPN into the ntework.
3) With split tunnel, basically the ASA will push down the split tunnel route towards the host, and those split tunnel route will be encrypted and routed back towards the ASA, and everything else will route via the host default gateway.
Hope that helps.