I often hear VPN Security Engineers talk about the dangers of split tunneling your laptop VPN connection to the corporate network. The story goes if you have your corporate laptop at home, and your kids have their “unprotected compromised system” at home, then there is a risk to the corporate enterprise network because that home network is compromised, and the kid's “evil laptop” will infect the company. (P1)
Another scenario we often hear is that the corporate network laptop will get compromised by the “evil laptop”, and then “the bad actor will be sitting on the corporate network laptop doing evil things”. (P2)
I always end up having problems with the descriptions of these two scenarios. So, let’s dive into split tunneling.
Split Tunneling a Laptop
When you split tunnel a VPN on a laptop, you are essentially dividing up your ethernet traffic between traffic that goes to and from your enterprise, and other traffic that goes to and from the Internet. The core goal of providing split tunneling capabilities are to simply give your workers the ability to perform work functions at work and internet functions (browsing, movies, aka “tomfoolery”) from the Internet directly. This connectivity gives your users the fastest capability to do both work and “tomfoolery” using the sources that have the fastest network connectivity. Remember, security is an option if you deploy split tunneling.
As an example: Fortinet Split Tunnel using the software VPN client.:
(P1) Image Source: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/307303/ssl-vpn-split-tunnel-for-remote-user Accessed 3/30/20
As seen in the graphic above, the “Remote User” connects his laptop to the VPN using the green line. He also has his split tunnel going to the Internet using the other green line. You, me, and the kids cannot access that green line to the corporate network because we do not have the software VPN configured on our laptop, access credentials, or possibly a second-factor token to access the internal network. (Security in layers like 2FA, certificates, and others.)
Likewise, if they are using a next-generation firewall like Fortinet, there are access control lists and policies on that incoming VPN interface that can block “evil activity” like hacking, hygiene inspection like host inspection, and IDS/IPS are also active and available on that incoming/outgoing VPN interface.
So, if the corporate Remote User’s desktop is compromised, the VPN can force disconnect and prevent the attack based upon IPS, bad authentication, host inspection, and others. In the scenarios of (P1) and (P2), the kids cannot access the corporate network, the data is safe, and bad actors will need to defeat the “remote laptop” security to gain access to the corporate network.
Pros:
Split tunneling the corporate data allows the VPN to require a smaller ethernet connection.
Corporate data is secured through IPSEC connectivity.
If you have cloud services, those will flow out of the Internet connection and not go through the corporate network.
Company updates can come through the IPSEC connection to the company.
Virus updates can come through the IPSEC connection to the company.
IDS/IPS still protects the company in the incoming/outgoing VPN interface activity.
Cons:
Web activity goes out of the Internet and does not get inspected by the corporate network, unless you have a great VPN Client like the Fortinet FortiClient that has extra capabilities. (See Appendix A.)
Port scans can still happen to the laptop as it sits in a coffee shop.
Hackers can still use exploits to compromise the computer, gain access, and attach keyboard loggers to the laptop.
No change on the laptop attack surface except all traffic is encapsulated in an IPSEC tunnel.
Full VPN
In a full VPN, or SSL VPN, connection ALL traffic is transferred through the enterprise, so all work functions go to the company, and all “tomfoolery” goes through the company. But the same controls exist to protect the company, and stop hackers, ensure computer hygiene, and prevent attacks.
(P2) Image Source: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/559546/ssl-vpn-full-tunnel-for-remote-user Accessed 3/30/20
Most employees don’t want their “tomfoolery” to go through company security, monitoring, and other secure connections. Likewise, there are some privacy concerns with the company being able to see all confidential data that travels through the central enterprise. Things like personal healthcare browsing (HIPAA), personal finance, and personal confidential data can put the company in an awkward position even when an expectation of privacy doesn’t exist. In the age of the California Consumer Privacy Act (CCPA), we are going to see more legislation developed to protect privacy at all levels, even in a corporation.
Pros:
All traffic goes through the company for inspection.
All systems connected to the company for updates.
Internal AV systems can do updates if needed.
Host Inspection keeps systems off that are insecure.
IDS/IPS protects rouge laptops.
Web traffic can work through the web filter.
Cons:
Increased bandwidth to the VPN to support ALL traffic going to the company.
Increased need for privacy controls.
Increased bandwidth to the company Internet connection so ALL systems can work.
Network roundtrip delays can be a problem as ALL traffic goes in and out the corporate network.
Port scans can still happen on the laptop as it sits in a coffee shop.
Remember security in layers on the laptop, because if the laptop gets compromised, then the attacker still has direct access to the laptops out of band scenarios.
Hackers can still use exploits to compromise the computer, gain access, and attach keyboard loggers to the laptop.
No change on the laptop attack surface except all traffic is encapsulated in an IPSEC tunnel.
Conclusion
A split tunnel laptop VPN connection gives the flexibility necessary. Security is still an excellent option, and if designed using good next-generation firewalls like Fortinet, you will be able to get the best of all worlds using security first.
A full VPN tunneled laptop will secure ALL traffic to the company and will cause the system to go through the security controls inside. Understanding of the bandwidth requirements to the VPN and Internet will need to be tested and the realization that the physical device is no more secure from being attacked in the coffee shop. Missing updates on the laptop, open ports and misconfigurations will still put the laptop in a compromised state as it sits tunneled to the corporate network. IPSEC only protects ethernet traffic, not physical software vulnerabilities. Physical software vulnerabilities exist on both split tunnel and full tunnel systems.
Appendix A
As seen here (Fortinet FortiClient mentioned previously), you can do host inspection, antivirus, web filtering, application firewall, vulnerability scanning, and VPN access. This particular VPN client sits on the laptop and sends telemetry to the Fortinet firewall (controller) internally and while the laptop is on the road. Using this tool and the telemetry, you can keep up to date with vulnerabilities, software updates, antivirus information, all while the laptop is being protected and filtering web activity through the split tunnel connection.
(Appendix A) Image Source: https://help.fortinet.com/fclient/olh/5-4-1/Content/FortiClient-5.4-Admin/900_Web%20Security%20&%20Filter/605_Enable%20Web%20Security.htm Accessed 3/30/20
As a Cybersecurity Consultant, I hope this information will help your organization utilize split tunneling wherever it can, and also encourage you to roll out some of those advanced features you have at your disposal as you deployed your next generation firewall.
Jerry Craft Senior Security Consultant & CISO