We help IT Professionals succeed at work.
Troubleshooting Question

VPN full v split tunnel

Garan T
Garan T asked
on
49 Views
Last Modified: 2020-11-06
Hi Guys,

We were just in the process of rolling out split tunnel for all our Meraki client VPN users when my boss stopped us in our tracks based upon security concerns around split tunnels?
The reason for split tunnels is that Zoom and other Cloud telephony traffic going down the VPN from people's homes is not only pointless but bandwidth consuming and the average user is getting around 2-3Mbps 500Mbps leased line divided by 300 remote users.
A split tunnel works great and we have Cisco Umbrella roaming client and Symmantec as end point protection but the flip argument is that you have an open connection to the corporate network when using split tunnel?
On our Split tunnel we have about 10 static routes to capture and send all LAN traffic down the VPN but everything else out locally.
What if we reversed this and did a full tunnel but could do a local static route to send only Zoom or Video traffic out locally?  How cold we do that?  is it possible?

What are peoples thoughts on Split tunnel? 
Comment
Watch Question

Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015

Commented:
you have an open connection to the corporate network when using split tunnel
You'll have that in both cases. The difference is that with split tunneling you do not have control about Internet traffic, and (depending on the client) access to local devices (NAS, other PCs, printers, ...) might be affected too.
If the protection in your office isn't more advanced than what is used on the client, there is IMHO no reason not to use split tunneling.
Solutions Architect
CERTIFIED EXPERT
Top Expert 2016
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Elie MatarNetwork and Security Engineer
CERTIFIED EXPERT

Commented:
hello,

Let's start from security side, full tunnel if for sure safer since the user is using the company network to access the internet, which is similar to a user working inside the company, therefore all the policy created in the company will be applied while he access the internet.
In this case the user will be protected by the company security devices (firewall, AV, IPS, email filter, proxy...). However when you configure split tunnel you will be using your home internet connection. In this case you're bypassing all your company security protection. For example if the user access a bad website, or download a bad software, this can compromise your network  and you can face security issue.
Split tunneling is great to minimize your company internet consumption, however it adds security risk.

In your case for sure I suggest going to full tunnel (all your traffic will be encrypted), and create packet shaping rules if you have a packet shaper, proxy... and assign the required bandwidth to each user, in that case you can control your internet consumption and have better security.

Regards,
CERTIFIED EXPERT

Commented:
Full tunnel is not necessarily safer.  It's for control.

If you set up your remote worker systems correctly, with proper antivirus and firewalls, etc...,  you can do split tunneling just fine.
There's software, such as Cisco Umbrella, to control what your users can reach, even if they're at remote locations.  Forcing a full tunnel is a bit stupid and slows down their internet access, by requiring extra hops through your company's network and clogging up the network with every user's network traffic.

...going to full tunnel (all your traffic will be encrypted) 

It's only encrypted between the user and the corporate VPN.  If they somehow visit an existing unencrypted http site, it's still coming out out of the company networks as unencrypted.  A full tunnel is not a security panacea.  Make the users' systems secure and you can still do split tunnel.  You're not necessarily making the user more secure with a full tunnel, unless you're controlling the traffic and access.  You don't need a full tunnel to do control that traffic.


Garan THelpdesk Operative

Author

Commented:
Thanks all,

Some good contributions and advice.
Awarding to Jian because this link is just what I've been looking for:

Reference:
https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel?view=o365-worldwide#common-vpn-scenarios 

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions