Split tunneling: Difference between revisions
→Disadvantages: not dubious, per talk |
→Trust issues: Weasel, unsourced, and likely OR. Also unclear: talks about "this fundamental trust issue" without saying what it is. Tag: section blanking |
||
| Line 12: | Line 12: | ||
ISPs that implement [[DNS hijacking]] break name resolution of private addresses with a split tunnel. |
ISPs that implement [[DNS hijacking]] break name resolution of private addresses with a split tunnel. |
||
=== Trust issues === |
|||
There are many variants of split tunneling that attempt to address this fundamental trust issue. Often when plain split tunneling is enabled, datagrams by default will go out the local network interface's default gateway. Only [[datagram]]s that are destined for IP networks behind the VPN terminator will go through the tunnel. This violates the [[principle of least privilege]] if a user does not absolutely require access to the entire Internet. |
|||
== Variants and related technology == |
== Variants and related technology == |
||
Revision as of 17:38, 24 March 2014
Split tunneling is a computer networking concept which allows a VPN user to access a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same physical network connection. This connection service is usually facilitated through a program such as a VPN client software application.
For example, suppose a user utilizes a remote access VPN software client connecting to a corporate network using a hotel wireless network. The user with split tunneling enabled is able to connect to file servers, database servers, mail servers and other servers on the corporate network through the VPN connection. When the user connects to Internet resources (Web sites, FTP sites, etc.), the connection request goes directly out the gateway provided by the hotel network.
Advantages
One advantage of using split tunneling is that it alleviates bottlenecks and conserves bandwidth as Internet traffic does not have to pass through the VPN server.
Another advantage is in the case where a user works at a supplier or partner site and needs access to network resources on both networks throughout the day. Split tunneling prevents the user from having to continually connect and disconnect.
Disadvantages
A disadvantage is that when split tunneling is enabled, users bypass gateway level security that might be in place within the company infrastructure. For example, if web or content filtering is in place, this is something usually controlled at a gateway level, not the client PC.
ISPs that implement DNS hijacking break name resolution of private addresses with a split tunnel.
Variants and related technology
Inverse split tunneling
A variant of this split tunneling is called "inverse" split tunneling. By default all datagrams enter the tunnel except those destination IPs explicitly allowed by VPN gateway. The criteria for allowing datagrams to exit the local network interface (outside the tunnel) may vary from vendor to vendor (i.e.: port, service, etc.) This keeps control of network gateways to a centralized policy device such as the VPN terminator. This can be augmented by endpoint policy enforcement technologies such as an interface firewall on the endpoint device's network interface driver, group policy object or anti-malware agent. This is related in many ways to network access control (NAC).
IPv6 dual-stack networking
Internal IPv6 content can be hosted and presented to sites via a unique local address range at the VPN level, while external IPv4 & IPv6 content can be accessed via site routers.