Re: vpn split tunnel or no split tunnel

["Avdagic, Indir" <indir_avdagic () WSU EDU>]

We have implemented split tunneling for our SSL VPN and IPSec Remote access VPNs to make sure that all our users'  
connection (when they are outside of our campus) to the internal resources are encrypted.
During the VPN sessions all their other network traffic (like web browsing) goes through their the local ISP 
connection. 

By enabling our users to get access to our internal networks through the secure connection from any outside location we 
have accomplishing the main purpose of the VPN services. 

To solve access problems for off campus library resources through the VPN connection we added at the VPN gateway all 
outside library resources'  IP addresses to the list of the destination internal IPs that can be accessed through the 
split tunneled encrypted connection.

I hope this helps.

Best Regards,

Indir
_______________________________
Indir Avdagic, MSEM, CISSP, ACSA, TICSA
Information Systems Security Manager
Washington State University  
indir_avdagic () wsu edu
Phone: (509) 335-3279


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allan 
Williams
Sent: Monday, February 07, 2011 12:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] vpn split tunnel or no split tunnel

G'day,
        We implemented split tunnelling since the purpose of the VPN was to secure communications back to the 
University and we didn't want to pay or log home user downloads.  Of course none of our users do BUT hypothetically, if 
a user on their home machine surfs for porn, runs a bit torrent etc we didn't see the need to have knowledge of this or 
for this traffic to transit our network.

        Drawback of split tunnelling for us has been access to off campus library resources that use an IP based access 
control.  With a split tunnel,  the user's web browser will attempt to make a connection directly not via an 
approved/allowed university IP address.  To overcome this we had to implement a reverse proxy which allowed vpn and 
non-vpn users access to external resources. In general we have promoted the reverse proxy and the primary access to 
some on and off campus  web resources and reserved vpn access to those that require secure access to university 
enterprise systems (finance, hr, student etc)  

Regards,
        Allan

On 08/02/2011, at 6:58 AM, Mark Monroe wrote:

> We are architecting a new vpn service on campus and some people want split tunneling and some do not. I am not 100% 
> sure either way. Anyone have any examples or data that might push me either way?
>
> Mark Monroe    
> Information Security Officer
> University of Missouri - St. Louis

==================================
Allan Williams
Director IT Infrastructure 
Division of Information
South Oval 
Building #88T
The Australian National University
Canberra ACT 0200

T: +61 2 6125 8404
F: +61 2 6125 7699
www.anu.edu.au

CRICOS Provider #00120C
==================================