Educause Security Discussion mailing list archives
Re: vpn split tunnel or no split tunnel
From: "Julian Y. Koh" <kohster () NORTHWESTERN EDU>
Date: Mon, 7 Feb 2011 14:09:40 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 1:58 PM -0600 2/7/11, Mark Monroe wrote:
We are architecting a new vpn service on campus and some people want split tunneling and some do not. I am not 100% sure either way. Anyone have any examples or data that might push me either way?
There are number of arguments on either side of the issue - I'd say that there's definitely no completely right or wrong answer, so you're exactly where you should be IMO. :) Using split tunneling allows you to reap performance gains since all of your traffic doesn't need to come all the way back to your campus in order to go back out again. In addition, you'll cut down on things like abuse complaints that get tracked back to a campus IP address because a user forgot to turn off VPN before his/her kid started running P2P file sharing software on the home computer. Depending on what you use your VPN for, you might need to tunnel traffic to off-campus networks anyway, usually for things like 3rd party licensed content through your library. Again depending on how many of those entries you need and how many slots you have available to define your split tunnel entries on your concentrator, this might become a bear to manage, and you might end up tunneling so much stuff that it'd be easier to just tunnel everything anyway. A definite argument against using split tunneling, again depending on how your campus network is set up, is that you have basically set up your clients as a pathway from the public Internet to what could be rather sensitive parts of your internal campus network. So someone from the Internet could compromise your remote client computer and then use that to access your campus network. If you didn't use split tunneling, then the client computer might not be as accessible. Again this all depends on how you have your campus network set up and what you're using the VPN for. You may also run into increased support costs with split tunneling due to the routing complexity that users need to be aware of. So education and documentation become even more important than with an easier non-split tunneling setup. Here at NU, our traditional VPN service does not use split tunneling, but our SSL VPN service, which is targeted at specific audiences, usually more technically-savvy, does use split tunneling. -----BEGIN PGP SIGNATURE----- Version: 9.9.1.287 wj8DBQFNUFGDDlQHnMkeAWMRAhSsAKD/gFX9sLP9ihBCDoGAjYvGdfDkMwCgoQzT /4ACHylK/v2tC/1U56il2mk= =HOWE -----END PGP SIGNATURE----- -- Julian Y. Koh <mailto:kohster () northwestern edu> Manager, Network Transport <phone:847-467-5780> Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
Current thread:
- vpn split tunnel or no split tunnel Mark Monroe (Feb 07)
- Re: vpn split tunnel or no split tunnel Nick Kartsioukas (Feb 07)
- Re: vpn split tunnel or no split tunnel Julian Y. Koh (Feb 07)
- Re: vpn split tunnel or no split tunnel James R. Pardonek (Feb 07)
- Re: vpn split tunnel or no split tunnel Valdis Kletnieks (Feb 07)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 07)
- Re: vpn split tunnel or no split tunnel Chris Green (Feb 07)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 08)
- Re: vpn split tunnel or no split tunnel Dexter Caldwell (Feb 09)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 08)
- Re: vpn split tunnel or no split tunnel Greene, Chip (Feb 07)
- Re: vpn split tunnel or no split tunnel Allan Williams (Feb 07)
- Re: vpn split tunnel or no split tunnel Mark Monroe (Feb 07)
- Re: vpn split tunnel or no split tunnel Avdagic, Indir (Feb 07)
(Thread continues...)