VPN Split Tunneling
What is Split Tunneling?
Virtual private network (VPN) split tunneling lets you route some of your application or device traffic through an encrypted VPN, while other applications or devices have direct access to the internet. This is particularly useful if you want to benefit from services that perform best when your location is known while also enjoying secure access to potentially sensitive communications and data.
It is important to keep in mind the split tunneling security risks (more on these later) when considering this option.
Virtual Private Network (VPN)
A VPN provides users with a secure tunnel through which all data traveling to and from their device is encrypted. This allows them to enjoy secure remote access and protected file sharing while also being able to mask their location if they choose to do so.
However, with a VPN, you may experience slower network speed and bandwidth issues because of the encryption that has to be applied to all data traveling through it.
Choose Which Traffic Goes Through the VPN
How does split tunneling work? With a split tunnel connection, users can send some of their internet traffic via an encrypted VPN connection and allow the rest to travel through a different tunnel on the open internet. The default setting of a VPN is to route 100% of internet traffic through the VPN, but if you want to access local devices or obtain higher speeds while encrypting specific data, consider using split tunneling.
Benefits of Split Tunneling
Split tunneling may not be a good fit for all organizations, but you have the option of turning it on when you set up your VPN. Many organizations with VPNs have bandwidth restrictions, particularly because the VPN has to both encrypt data and send it to a server in a different location. This can result in performance issues if split tunneling is not implemented.
When split tunneling is enabled, traffic that would have been encrypted by the VPN, which is likely to transmit more slowly, is sent through the other tunnel. Routing traffic through a public network can enhance performance because no encryption is necessary.
Provide a Secure Connection for Remote Worker
With split tunneling, remote employees can benefit from a secure network connection through the VPN that provides them with encrypted access to sensitive files and email. At the same time, they can access other internet resources through their internet service provider (ISP) at higher speeds.
Work on a Local-Area-Network (LAN)
When you connect to a VPN, encryption may block access to your LAN. With split tunneling, you can still access local resources like printers through your LAN while benefiting from the security of the VPN.
Stream Content Without Using Foreign IP Addresses
Split tunneling gives you the freedom to stream content while traveling abroad and enjoy web services that depend on you having a local Internet Protocol (IP) address. You can use the VPN to connect to content in your home country, and with the split tunneling feature enabled, you can get the most out of websites and search engines that work best when they know your location.
What Are the Split Tunneling Security Risks?
There are risks to using split tunneling, and these must be weighed against the benefits. Those in charge of information security in corporate environments use defensive technology to protect endpoints and stop users from carrying out certain tasks, whether intentionally or by accident.
Traditionally, split tunneling allows users to circumvent proxy servers and other devices, which are put in place to regulate and protect network usage. Therefore, if a user is working from a network that is not secure, they can put the organization’s network at risk. If a hacker is able to compromise the network the user is working from by means of split tunneling, the hacker may be able to put the rest of the organization’s network in jeopardy as well. As long as a company computer is compromised, the organization’s network remains at risk too.
Users may also bypass the Domain Name Systems (DNS), which aids in identifying and repelling intruders, devices that prevent data loss, as well as other devices and systems. Each of these devices or systems plays a significant role in protecting data and communication. So circumventing any of them just to reduce traffic or increase performance may not be advantageous.
One function of proxy servers is to limit traffic to websites of a questionable nature or reputation. They also allow organizations to keep track of what their employees are doing or accessing. Additionally, proxies offer protection to corporate endpoints by preventing communication with command-and-control (C&C) servers manned by hackers. Another benefit is to monitor traffic and regulate it. An example are proxies that limit or prevent access to sites like Spotify, YouTube, or Netflix, which stream music, movies, and other forms of entertainment.
If an employee’s system is infected, the data it sends to C&C systems in a split tunneling setup will not be visible to corporate IT. While the device or network is compromised and in communication with the invading system, the user may spend their time accessing disreputable sites on company time. And because split tunneling is enabled, the organization is unaware of the security risk or the loss of employee productivity.
Protect Your Organization with Security-Driven Networking Solutions
It is important to properly configure your VPN split tunnels and firewalls. Split tunneling leaves you exposed to security risks because of the other tunnel’s lack of encryption. FortiClient improves security for your endpoints, providing secure access for remote employees. It also includes a built-in VPN that you can configure for split tunneling.
To protect your network from attacks and manage vulnerabilities, you can use the FortiGate next-generation firewall (NGFW) and the Fortinet software-defined wide-area network (SD-WAN). With FortiGate, all traffic undergoes deep inspection, and threats are discarded as they are detected. The Fortinet Secure SD-WAN solution gives you web filtering, sandboxing, secure sockets layer (SSL) inspection, and more security features, all while enabling full visibility over your data center, users, devices, and business applications via a single pane of glass.