When designing a VPN for security, it is very important to be aware of how your traffic will flow through the network. The very nature of virtual links, which don't necessarily follow the physical path you were expecting, can make this a little challenging. One of the trickier decisions is called split tunneling.
"Split tunneling" refers to having separate paths. For example, let's assume a VPN tunnel from your head-end VPN concentrator in your DMZ terminates on a remote user's laptop, which is directly connected to the Internet. If split tunneling is enabled, the traffic from the user's laptop to the Internet will go from the users laptop to the Internet. If split tunnels are disabled, this same traffic will be forced to go across the Internet through the VPN tunnel to your head-end concentrator in your DMZ, where it will do a hairpin turn and go back out through your firewall to its Internet destination.
A few of the "gotchas" are as follows:
Many firewalls do not like packets coming in and going out on the same interface, which is exactly what this hairpin turn is doing. So their recommendation is usually "turn split tunnels on". The alternative is reconfiguring the location of the concentrator with respect to the firewall.
Unfortunately, the downside to using split tunnels is security. If your remote users are allowed to access the Internet, you know they'll be downloading all kinds of high-risk material. And you know that even with a "personal firewall" the average user's laptop is far from secure. With a split tunnel, if an intruder can find just one vulnerability in a remote desktop, they can bypass your firewall and access your internal network with the same privileges that the real user has. This is a frightening prospect indeed. By disabling split tunnels, you prevent any direct communication with the Internet (other than your VPN), which goes a long way towards securing the device. This is critical when the users are using their personal machines from home, which are typically "always on" via a cable-modem.
Also, in some large corporate networks, split tunnels can create default-routing issues. The user's laptop needs to know which traffic to send through the VPN and which to send to the Internet via its default gateway.
There isn't really one globally correct answer to this question; your decision to enable or disable split tunnels should depend on your tolerance for security risks and budget, etc. But knowing the gotchas can help you design a solution that meets your needs.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
This was first published in November 2001