Split tunneling
Encyclopedia
Split tunneling is a computer networking concept which allows a VPN user to access a public network (e.g., the Internet
) and a local LAN
or WAN
at the same time, using the same physical network connection. This connection service is usually facilitated through a program such as a VPN client software application.
For example, suppose a user utilizes a remote access VPN software client connecting to a corporate network using a hotel wireless network. The user with split tunneling enabled is able to connect to file servers, database servers, mail servers and other servers on the corporate network through the VPN connection. When the user connects to Internet resources (Web sites, FTP sites, etc), the connection request goes directly out the gateway provided by the hotel network.
Another advantage is in the case where a user works at a supplier or partner site and needs access to network resources on both networks throughout the day. Split-tunneling prevents the user from having to continually connect and disconnect.
is in place, this is something usually controlled at a gateway level, not the client PC.
ISPs that implement DNS hijacking
break name resolution of private addresses with a split tunnel.
s that are destined for IP networks behind the vpn terminator will go through the tunnel. This violates the principle of least privilege
.
object or anti-malware agent. This is related in many ways to network access control
(NAC).
content can be hosted and presented to sites via a unique local address
range at the VPN level, while external IPv4 & IPv6 content can be accessed via site routers.
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
) and a local LAN
Län
Län and lääni refer to the administrative divisions used in Sweden and previously in Finland. The provinces of Finland were abolished on January 1, 2010....
or WAN
Wide area network
A wide area network is a telecommunication network that covers a broad area . Business and government entities utilize WANs to relay data among employees, clients, buyers, and suppliers from various geographical locations...
at the same time, using the same physical network connection. This connection service is usually facilitated through a program such as a VPN client software application.
For example, suppose a user utilizes a remote access VPN software client connecting to a corporate network using a hotel wireless network. The user with split tunneling enabled is able to connect to file servers, database servers, mail servers and other servers on the corporate network through the VPN connection. When the user connects to Internet resources (Web sites, FTP sites, etc), the connection request goes directly out the gateway provided by the hotel network.
Advantages
One advantage of using split tunneling is that it alleviates bottlenecks and conserves bandwidth as Internet traffic does not have to pass through the VPN server.Another advantage is in the case where a user works at a supplier or partner site and needs access to network resources on both networks throughout the day. Split-tunneling prevents the user from having to continually connect and disconnect.
Disadvantages
A disadvantage of this method is that it essentially renders the VPN vulnerable to attack as it is accessible through the public, non-secure network. When split tunneling is enabled, users bypass gateway level security that might be in place within the company infrastructure. For example, if web or content filteringContent filtering
Content filtering is the technique whereby content is blocked or allowed based on analysis of its content, rather than its source or other criteria. It is most widely used on the internet to filter email and web access.- Content filtering of email :...
is in place, this is something usually controlled at a gateway level, not the client PC.
ISPs that implement DNS hijacking
DNS hijacking
DNS hijacking or DNS redirection is the practice of redirecting the resolution of Domain Name System names to other DNS servers. This is done for malicious purposes such as phishing; for self-serving purposes by Internet service providers to direct users' HTTP traffic via the ISP's own webservers...
break name resolution of private addresses with a split tunnel.
Trust Issues
There are many variants of split tunneling that attempt to address this fundamental trust issue. Often when plain split tunneling is enabled, datagrams by default will go out the local network interface's default gateway. Only datagramDatagram
A datagram is a basic transfer unit associated with a packet-switched network in which the delivery, arrival time, and order are not guaranteed....
s that are destined for IP networks behind the vpn terminator will go through the tunnel. This violates the principle of least privilege
Principle of least privilege
In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module must be able to access only the...
.
Inverse split tunneling
A variant of this split tunneling is called "inverse" split tunneling. By default all datagrams enter the tunnel except those destination IPs explicitly allowed by VPN gateway. The criteria for allowing datagrams to exit the local network interface (outside the tunnel) may vary from vendor to vendor (i.e.: port, service, etc.) This keeps control of network gateways to a centralized policy device such as the VPN terminator. This can be augmented by endpoint policy enforcement technologies such as an interface firewall on the endpoint device's network interface driver, group policyGroup Policy
Group Policy is a feature of the Microsoft Windows NT family of operating systems. Group Policy is a set of rules that control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and...
object or anti-malware agent. This is related in many ways to network access control
Network Access Control
Network Access Control is an approach to computer network security that attempts to unify endpoint security technology , user or system authentication and network security enforcement.-Background:Network Access Control is a computer networking solution that uses a set of protocols to define and...
(NAC).
IPv6 dual-stack networking
Internal IPv6IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
content can be hosted and presented to sites via a unique local address
Unique local address
A unique local address is an IPv6 address in the block fc00::/7, defined in RFC 4193. It is the IPv6 counterpart of the IPv4 private address. Unique local addresses are available for use in private networks, e.g. inside a single site or organization, or spanning a limited number of sites or...
range at the VPN level, while external IPv4 & IPv6 content can be accessed via site routers.