Educause Security Discussion mailing list archives

Re: vpn split tunnel or no split tunnel

From: Chris Green <cmgreen () UAB EDU>
Date: Mon, 7 Feb 2011 14:24:22 -0600

I'm against it in most scenarios.  I think it just causes pain and makes people want to work off-campus less.

A better write up than I could do:

http://blogs.technet.com/b/tomshinder/archive/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling.aspx


1)      Are you going to be significantly better at detecting malware if the client is routing through you?

2)      Is this same user going to have your data if they don't use the VPN?

The more complicated the home network environment, the more likely killing split tunneling will just annoy your users.

USB printer == no problem;
Network printer == whoa buddy! You are violating security policy!  Save to your hd (not a file share!), disconnect, and 
then print!

I thought about split tunneling the other night in a separate scenario.  Equipment Involved: Windows 7 Ultimate 
Edition, Lockdown Browser, and an Xbox 360.  Xbox 360 in Media Center mode streaming content.   Dad and kids upstairs, 
Mom downstairs taking test.  Lockdown browser complained about there being an active terminal services session.  Turns 
out, media center extender leverages RDP for a portion of communication and was enough to display Lockdown Browser 
error message to user when there is an active session streaming content.   Mom (Student) wasn't happy (Couldn't do 
test);   Dad (me) wasn't happy (Trying to fix Mom's problem), Kids (3 & 4) weren't happy.

Assuming this self-regulated remote access is an acceptable risk, don't contribute to screwing up people's home network.

I do have a network were we pushed a "disable split tunnel" network just so we could apply the same strict rules on 
campus versus off for a particular device category that mimics the split tunneling blog post from above.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark 
Monroe
Sent: Monday, February 07, 2011 1:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] vpn split tunnel or no split tunnel

We are architecting a new vpn service on campus and some people want split tunneling and some do not. I am not 100% 
sure either way. Anyone have any examples or data that might push me either way?

Mark Monroe
Information Security Officer
University of Missouri - St. Louis

Current thread:

vpn split tunnel or no split tunnel Mark Monroe (Feb 07)
- Re: vpn split tunnel or no split tunnel Nick Kartsioukas (Feb 07)
- Re: vpn split tunnel or no split tunnel Julian Y. Koh (Feb 07)
- Re: vpn split tunnel or no split tunnel James R. Pardonek (Feb 07)
  - Re: vpn split tunnel or no split tunnel Valdis Kletnieks (Feb 07)
- Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 07)
- Re: vpn split tunnel or no split tunnel Chris Green (Feb 07)
  - Re: vpn split tunnel or no split tunnel Nathaniel Hall (Feb 08)
    - Re: vpn split tunnel or no split tunnel Dexter Caldwell (Feb 09)
- Re: vpn split tunnel or no split tunnel Greene, Chip (Feb 07)
- Re: vpn split tunnel or no split tunnel Allan Williams (Feb 07)
  - Re: vpn split tunnel or no split tunnel Mark Monroe (Feb 07)
  - Re: vpn split tunnel or no split tunnel Avdagic, Indir (Feb 07)
- Re: vpn split tunnel or no split tunnel Jesse Thompson (Feb 08)
  - Re: vpn split tunnel or no split tunnel Jeff Kell (Feb 08)