No, split tunneling need not to be risky

No, split tunneling need not to be risky

Ramesh K. Ramesh K.

Ramesh K.

Cloud and container security

发布日期: 2020年7月5日
+ 关注

We all know split tunneling is the solution when are connected over VPN of corporate netwrok, but your public internet bounded traffic does not go via corporate network VPN (and hence firewall behind it) and only corporate bounded traffic go via VPN.

No alt text provided for this image


Why do we do that? Because of faster internet session, especially if you are a few timezones away from VPN. Another reason why its is used because organisations don't want to be responsible for any illegal activities that employee might do (eg downloading torrent movies)

oh.. if you still don't know what split tunneling is, then i would request to google that first.

Why its not used very often?

Because it is considered "risky". Because the traffic bypasses the corporate firewall completely and no corporate controls. And just imagine if remote user accidently uploads some confidential data to third party (that might be a result from a phising attack or something like that).

"No, if there is a risk, i won't even consider split tunneling."

If you also have same opinion, then you must read full article.

So let's try to get to the root cause why this is risky, its just that we want to control the egress data out of the remote user.

Solution

How about setting up an agent that will scan incoming/outgoing packets, if its destinated to unidentified/unknown site, before its is getting pushed out of the machine?

I am sure above line is sufficient to explain my solution. So my ask is very simple that a vpn client, can have a set of plugins (that means these will call to other agents/executables to validate whether url / payload is valid or not). Something like below

No alt text provided for this image


How effective and feasible this solution is?

IMO, Above requires nice collaboration between VPN solution provider and enpoint security solution provider. And untill then we have the same we can't achieve in smooth way.

May be other potential challenge might be that its may not be feasible to do heavy DPI on clients that might consume a lot of CPU and memory. There are two ways to tackle this.

  • do some basic checks ones so that agent remains lightweight
  • other way is to do async (non blocking) monitoring, and send alert later if something found wrong.

Can SASE solve this problem altogether?

Certainly. SASE (Secure Access Service Edge) may provide such solution. But its new to the industry and time will tell how effective it would be for mitigating split tunneling risk.

I guess SASE or other solution would use some solution close to one i proposed.

Thank you

Hope you had good reading and got some new info / idea today.

要查看或添加评论,请登录

Ramesh K.的更多文章

社区洞察

其他会员也浏览了