Re: vpn split tunnel or no split tunnel

["Julian Y. Koh" <kohster () NORTHWESTERN EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 1:58 PM -0600 2/7/11, Mark Monroe wrote:
> We are architecting a new vpn service on campus and some people want split
> tunneling and some do not. I am not 100% sure either way. Anyone have any
> examples or data that might push me either way?

There are number of arguments on either side of the issue - I'd say that
there's definitely no completely right or wrong answer, so you're exactly
where you should be IMO.  :)

Using split tunneling allows you to reap performance gains since all of
your traffic doesn't need to come all the way back to your campus in order
to go back out again.  In addition, you'll cut down on things like abuse
complaints that get tracked back to a campus IP address because a user
forgot to turn off VPN before his/her kid started running P2P file sharing
software on the home computer.

Depending on what you use your VPN for, you might need to tunnel traffic to
off-campus networks anyway, usually for things like 3rd party licensed
content through your library.  Again depending on how many of those entries
you need and how many slots you have available to define your split tunnel
entries on your concentrator, this might become a bear to manage, and you
might end up tunneling so much stuff that it'd be easier to just tunnel
everything anyway.

A definite argument against using split tunneling, again depending on how
your campus network is set up, is that you have basically set up your
clients as a pathway from the public Internet to what could be rather
sensitive parts of your internal campus network.  So someone from the
Internet could compromise your remote client computer and then use that to
access your campus network.  If you didn't use split tunneling, then the
client computer might not be as accessible.  Again this all depends on how
you have your campus network set up and what you're using the VPN for.

You may also run into increased support costs with split tunneling due to
the routing complexity that users need to be aware of.  So education and
documentation become even more important than with an easier non-split
tunneling setup.

Here at NU, our traditional VPN service does not use split tunneling, but
our SSL VPN service, which is targeted at specific audiences, usually more
technically-savvy, does use split tunneling.


-----BEGIN PGP SIGNATURE-----
Version: 9.9.1.287

wj8DBQFNUFGDDlQHnMkeAWMRAhSsAKD/gFX9sLP9ihBCDoGAjYvGdfDkMwCgoQzT
/4ACHylK/v2tC/1U56il2mk=
=HOWE
-----END PGP SIGNATURE-----

-- 
Julian Y. Koh                         <mailto:kohster () northwestern edu>
Manager, Network Transport                         <phone:847-467-5780>
Telecommunications and Network Services         Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>