The current COVID-19 pandemic has changed the way the world and our Credit Union industry works. The rush to get our employees working remotely has posed new logistical and security challenges. Among those security challenges is configuration of VPN connections for our employees. A common question we receive at OGO is: “Should I use split or full tunneling and what are the pros and cons of each?” Whether to split or full tunnel is a topic that often brings up much debate in the IT world. We will not be able to lay that debate to rest but will help give some clarity so we can make the best decisions for our credit unions.
What are full and split tunnel VPNs?
When we set up a Virtual Private Network (VPN) for our remote computing devices, we create an encrypted connection between that device and a VPN concentrator or firewall on our Credit Union network. This connection allows that device to connect to services on our internal network without exposing those services directly to the internet. When that connection is made, we are able to control what services the device can reach on our network. We can also control what traffic is sent to our network through the encrypted tunnel connection.
Full Tunneling happens when we send all network traffic through the VPN connection. This includes traffic destined for our internal network as well as routing the device’s internet bound traffic through the encrypted VPN tunnel and back out the Credit Union’s internet connection. If we only send traffic destined for our internal network through the encrypted tunnel and allow all other traffic to go out the local device’s internet connection, that is Split Tunneling.
Pros and cons of full and split tunneling
- All traffic passes through the Credit Union security tools such as web filtering, IDS/IPS, threat analytics, and SIEM allowing the Credit Union to control what services the computer can access.
- Passing all traffic through the Credit Union’s security tools can help reduce the risk of a malicious actor’s unauthorized connection to a compromised computer and accessing the Credit Union’s internal network.
- When connected to an insecure network such as hotel or coffee shop, tunneling all traffic can mitigate a malicious actor sniffing traffic or setting up a man in the middle attack to capture data and credentials.
- Under heavy use, the additional load of both network and remote device internet traffic passing through the tunnel and Credit Union’s internet connection can overload the connection and affect performance.
- Scaling the internet connection and associated hardware to support bandwidth needed can be costly, especially for smaller Credit Unions.
- Potential additional latency for audio and video services such as conferencing.
- Only traffic destined for Credit Union network is directed over the encrypted VPN tunnel reducing load on the internet connection.
- Potentially lower costs for reduced bandwidth needs.
- Traffic does not flow through and get inspected by the Credit Union’s network security services for all internet traffic.
- If a remote device is compromised, a malicious actor could have a foothold into the internal network using the local internet to communicate with the device and connecting to the internal network of the Credit Union over the tunnel.
- Additional security tools and controls are needed on the local device to mitigate potential attack paths.
Should my credit union use full or split tunneling?
Being financial institutions, our employees routinely work with member data and confidential information. Maintaining confidentiality of that information is one of the primary charges of our information security programs. The most secure and ideal configuration is to use full tunneling and if possible, in your environment always force the VPN connection. This allows our IT and security teams to control that traffic and the flow of information to our devices.
If your current environment cannot support this configuration and you must use split tunneling, we need to ensure that we have adequate mitigating controls in place on all Credit Union employee remote devices, including:
- Antimalware and Endpoint Defense and Response (EDR) software
- Web filtering software and network controls that prevent connections to sites where data can be exfiltrated, and to known and potentially malicious sites.
- Data loss prevention tools.
- Local device encryption.