Looking for some advice from companies that connect their remote worker devices to the corporate network via VPN. Do most companies implement some form of split tunneling to decrease the load on the corp network or do they prefer all the traffic to pass through the corporate network in order to provide the best protection for the end device?
Maybe this is an all the above question, but just curious if there is a conciseness out there between balancing security and back-end loading?
Thanks,
Bob
Luckily I don’t have to make such decisions. But if I had to, I would lean towards **no** split tunneling for company owned devices. If it is company owned, it is subject to all the controls, auditing and security it would have if it was permanently on company premises. And I would require the VPN to be active before communicating over a network, or the device had to be on-site attached to a known company network. The more the company was required to comply with HIPAA, SOX or things like that, the more important this is.
I would be very hesitant to allow home PCs to be connected to the corporate network. Maybe access to an RDP or Citrix server, but that is all. I have seen corporate resources pwned by infected home PCs too many times to allow uncontrolled devices to connect. Remember SQL Slammer? I remember it, and how it took down a huge code repository when a programmer with an infected home PC VPNed in. It spread so far that we were without a functional network at all for days.
If the employee is important enough to the company to work remotely, then provide them the proper resources. Laptops are cheap compared to the overall cost of any employee who needs a PC.
I’d say more companies lean toward no split tunneling. Endpoint & data security is worth the extra cost you pay for bandwidth & computing power.
The best SECURITY practise is no split tunnel if you have the necessary security implementation on filtering and blocking all kind of nonsense and noises coming from your users computers.
If you don’t have the ability to filter the rubbish from your users, then its wise to issue a vpn configuration that can limit access to your corp resources by group or job designations.
It is industry standard that if a VPN is implemented that all traffic routes through the enterprises network. This is often so the traffic can be monitored by a SIEM via a port mirror. This is a compliance requirement for many Cybersecurity frameworks (NIST, ISO, etc)
The alternative solution of using split tunneling just to capture DNS traffic is probably best implemented (by cost, performance and complexity) by using a managed cloud DNS service, like Cisco Umbrella. These solutions are often able to be integrated into the SIEM for ingestion too.