Solved

VPN Question Split Tunnel vs Single Tunnel

Posted on 2010-08-13
6
923 Views
Last Modified: 2012-05-10
Hello,

Can someone list for me the Pros and Cons of having a clients VPN connection route all traffic through the company's connection, vs doing split tunneling and only using the companies gateway only for company subnets, and your own for other traffic.

Thanks
0
Comment
Question by:Methodman85
6 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 33434266
If people have to go through your VPN to get to the Internet, it will be quite slow (having had to do this myself). Split tunnel connection allows your remote clients to use Internet as they need to without hindering you, and thereby leaving tunnel resources for company only work.

VPN (any kind) through DSL connections (very normal circumstance) is slow because the VPN traffic is working both ways and therby affected by the slow upload speed.

I only use, recommend and employ split tunnel VPN. ... Thinkpads_User
0
 
LVL 1

Author Comment

by:Methodman85
ID: 33434343
What about the fact that split tunnel lets users be on the company's network, yet not adhere to any of their web browsing policy's. They can be accessing dangerous sites while connected to the network. Also, if they're site to site access permitted by another company. The user would only be able to access the partner company's site while they're in the office.

For instance, a partner allowed our external corporate IP address to traverse their network. If a user takes their laptop home, and needs to connect to the partners network, this isn't possible with split horizon since the connection to the partner will be going out through the users ISP's IP which isn't allowed to establish a connection.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 166 total points
ID: 33434365
No solution is perfect, however, responsible workers generally do not cause too much issue with access to the internet. I deal with lots of clients each day.

I don't really understand your second point. I operate with numerous clients, numerous tunnels and numerous locations and do not usually get stuck. However for your particular situation, a non-split tunnel VPN might work.

You seem to want to use non-split tunnel VPN, and so do go ahead with that. I think ultimately you will find it too slow to be practical, but only you can assess that. Also, only you can assess your users.
... Thinkpads_User
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 167 total points
ID: 33435447
below link will give u some points

http://en.wikipedia.org/wiki/Split_tunneling
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 167 total points
ID: 33436192
I agree to what thinkpads_user said. There is a single question only you have to ask: Do you need full control over Internet actions while connected? If so, there is no discussion - no split tunneling.

IMHO, the "full control while browsing" aspect is overemphasized by many admins. The connecting VPN machine still needs to have all security means enabled before using the VPN, else it can be infected already with malware, and it does not matter if the malicious sites are browsed while VPN-connected or not.
Having full control over the protection of the VPN client (AV aso.) is worth much more, and is not related to split-tunneling, which involves extreme lags and speed issues while browsing the Internet.
0
 
LVL 1

Author Closing Comment

by:Methodman85
ID: 33436483
Thanks for your input guys.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now