Educause Security Discussion mailing list archives

Re: Do you allow your vpn clients to do split tunneling?

From: Jeff Kell <jeff-kell () UTC EDU>
Date: Mon, 10 May 2010 17:35:36 -0400

The "textbook" explanation of split-tunnel says it should be avoided
because of the possibility of bridging/routing external traffic through
the tunnel.

However, if the end-user is smart enough to do that wholesale (other
than the XSS possibilties) they're probably smart enough to bypass your
captive tunnel (depending on the client).

Split-tunnel advantages:

* you can advertise only a portion of your internal network via the tunnel,
* any "other traffic" is untouched (if you have a multi-tasking user
that needs the regular network),
* if you're NATed inside, you can test inside and outside connectivity
(by using inside/outside IPs)

Captive tunnel advantages:

* all traffic gets encrypted (very useful for WiFi or other open wireless),
* better control over what enters the tunnel (depending on the client)

We allow split-tunnel, but our current VPN is primarily ITD personnel.
I might be more biased toward captive if serving a broader audience.

Jeff

Current thread:

Do you allow your vpn clients to do split tunneling? John L. Isenhour (May 10)
- <Possible follow-ups>
- Re: Do you allow your vpn clients to do split tunneling? Julian Y. Koh (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Miller,James R (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Greg Washburn (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Timothy Fairlie (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Fletcher, Robert (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Jeff Kell (May 10)
- Re: Do you allow your vpn clients to do split tunneling? Reynolds, Walter (May 11)
- Re: Do you allow your vpn clients to do split tunneling? James R. Pardonek (May 11)