This is a question where responses have so many varying opinions on and I suppose its something I could debate for and debate against. The reason why I am interested is because in my current environment I use both depending on the end user group or bandwidth reasons. At the moment, I am more in favour of Split Tunneling - am I opening up a security risk? Well that's debatable as well, as full tunnel doesn't necessarily mean the far side will be risk free. So I am seriously considering changing our vpn policy to split tunnels for employees and here is my reasons why:
The Advantages
- Get a lot of my bandwidth back as the only vpn traffic will be a file server and some other light network resources.
- Separation of Corporate data and personal internet/local Lan so better experience for end users.
- Better speeds for end users as VPN traffic is capped. Personal LAN/Internet use's end users own bandwidth.
- Small workload on corporate VPN gateway.
Concerns (Debatable)
- Security Risk as some traffic is not going through the secure gateway and viruses/malware picked up at end user's end could traverse the VPN tunnel. But this isn't entirely accurate as the local traffic could only traverse the VPN tunnel if the networks were bridged, which we already lock down through group policy.Nothing goes through our gateway without being checked for viruses/malware and also Tipping point IPS. Additionally, the internet isn't the only medium that can being this infections - can come from usb, disks etc..
Split Tunneling Requirements
So if I were to implement all users to split tunnel, the only requirements I see to make the connection as secure as full tunnel is:
- AV, IPS at the far end of the vpn before entering the network
- End user PC's manageable as far as AV/Client firewall is concerned
- O/S patching manageable and kept up to date per Patching policy.
- 2FA (As we do with Full Tunnel)
Would love to hear your thoughts on this. Basically I want to give users a better experience without bringing a security risk into the mix. With the above in mind, I cannot see any reason for why not but you may have some advice that will make me think otherwise. Thank you!