Question : To allow Split Tunneling or Not - that is the question ...

We're looking at rolling out Contivity Extranet Access Client 5_01.103 for our Contivity VPN.  A new feature is that it can allow inverse split tunneling - allowing directly connected networks, or allowing the admin to explicitly state which networks are allowed to be split tunneled to.  All others would be disallowed.

What are your thoughts?  It would be very useful and convenient for our remote based users, however Security is balking at the "risk" which they state is there but can't seem to explicitly quantify.

What are your thoughts - to allow or not?  Do you allow or not?

Thanks

Answer : To allow Split Tunneling or Not - that is the question ...

Personal opinions here only....
Not allowing split-tunneling increases the bandwidth required at the central HQ end. All traffic to/from clients go through your Internet connection twice-if you even allow internet browsing while being connected. It also reduces usability for the clients.

As far as I understand the VPN client, if it works anything like Cisco's, is that the client gets an IP address and you allow split-tunneling from your corporate LAN subnet to the subnet pool that the clients are assigned, and disallow anything else.

The biggest risk is that a home user's PC will not be protected from worms/backdoors as well as your corporate net is. As soon as a VPN tunnel is established, this is a direct conduit right into your trusted network. Now you have an infected/compromised PC sitting directly on your trusted network. If split-tunneling is implemented, and the PC has direct internet access, that access could be two-way where a trojan could be activated, the PC taken over, and with direct tunnel to you - bam! Even if you restrict traffic to/between their IP subnet and yours, if I've taken over their system, I might as well just be sitting at their keyboard. There is not further validation across the VPN tunnel as to the origination of that traffic.

On the other hand, the VPN clients do have protection against that built in. Cisco's has a version of ZoneAlarm desktop Firewall, and I'm sure that the Nortel does also have something simliar. Used alongside user education of the risks, stringent policies that can be enforced to impose sever penalties on anyone not following the rules, and network access control (before being allowed access to the net, the PC is checked for latest AV update, firewall rules, etc), terminate users in a semi-trusted DMZ network, and your risks have become so minimized that the benefits now outweigh them.