Split tunneling is a very powerful feature which is often used by remote workers with active VPN connections. This extremely useful feature can be harnessed to greatly improve user experience—but if configured improperly, can also become a grave security risk.
What is Split Tunneling?
Split Tunneling is a computer networking concept that allows users to access different security domains at the same time. The most well-known example is the remote user connecting to his office resources through the company VPN—but at the same time accessing the internet through his home ISP connection.
Split tunneling is generally categorized into split-include versus split-exclude tunnel. Split-include is the concept where your default traffic uses your default route (duh), and you explicitly configure which traffic you want to send (include) into the tunnel. Split-exclude, as you might have guessed ,will send all the traffic into the tunnel by default and you will have to explicitly configure the traffic you want to be sent elsewhere (to your local LAN for example).
As I noted, the most common example of split-tunnel is a remote user traveling and working from his hotel or an employee working from home. Administrators can configure the split-tunneling in such a way that these users can still browse to their favorite cat -related websites and watch their personal cat-movie attachments over their personal internet connection, all while accessing corporate resources through the corporate VPN. More often than not, users find the split-tunneling convenient, as there are likely less restrictions using their personal ISP connection than using the corporate VPN connection, which won't allow access to their favorite funny cat websites. (Sorry for all the cat references for those who are not feline fans.)
The Advantages of Split-Tunneling
Reduces bandwidth limitations and bottlenecks, as normal internet traffic will not have to be tunneled through the corporate VPN.
Much improved user experience: Simultaneous access to company resources and regular internet traffic. With split-tunnel configured you don't have to continuously connect/disconnect to the corporate VPN every time you need to access that file you're working on.
The Downsides of Split-Tunneling:
Allowing split-tunneling comes with risks. You'll be bypassing corporate security or avoiding gateway restrictions. For example, URL filtering is generally enforced on the corporate firewall and not on the client PC. Allowing all your users to go freely onto the internet might not be the best idea.
DLP (Data Loss Prevention) can be an issue. You might willingly or unwillingly download classified corporate information through the corporate VPN and then share it over your un-secure internet connection with the world.
For more information on Split-Tunneling, please visit the following links: