The Use of Split-Tunnel VPNs for Scalability Jeopardizes Enterprise Security

During the COVID-19 pandemic, many organizations transitioned some or all of their employees over to remote work. As part of this transition, companies needed a way to ensure that employees could work both securely and effectively from home.

With employees working from untrusted home networks and connecting remotely to the corporate network, connection security was (and still is) a major concern. To address this concern, many organizations required remote workers to use the corporate virtual private network (VPN) for all business traffic. This not only ensured the confidentiality of teleworkers’ network traffic but also routed all business traffic through the corporate network, where it could be inspected by the organization’s security infrastructure before reaching the public Internet.

The problem with this approach to teleworker security is that most organizations’ VPN infrastructure was not designed to support the entire workforce. However, attempts to increase VPN scalability, such as the use of split-tunnel VPNs, can compromise security. As organizations consider the possibility of extended or permanent telework for some of their workforce, exploring VPN alternatives is essential to balancing employee productivity and security.


Solving the VPN Scalability Problem with Split-Tunneling

When most people think of a VPN, they think of a full-tunnel VPN. This type of VPN routes all traffic, regardless of its destination, through the encrypted tunnel to the VPN endpoint. This type of VPN is useful since it provides a user experience identical to that of being directly connected to the network where the VPN endpoint is located. This provides easy access to internal services (such as network file shares) and ensures that all Internet-bound traffic is protected by the organization’s security infrastructure.

The problems with this approach is that most organizations’ VPN and security infrastructure are not designed to handle the volume of traffic generated by large-scale telework. As a result, user experience is degraded, and employee productivity suffers.

Split-tunnel VPNs provide a solution to these issues by routing some traffic directly to its destination, rather than over the VPN tunnel. In some cases, this may allow all Internet-bound traffic to skip the VPN connection, while, in others, only traffic intended for trusted destinations is routed directly there. For example, Microsoft recommends the use of split-tunneling for Microsoft 365 Software-as-a-Service (SaaS) applications as a means of reducing the load on corporate VPN infrastructure.

By deploying a split-tunnel VPN, an organization ensures that traffic bound for the company’s cloud-based deployment does not use up the company’s VPN and network bandwidth. As organizations are increasingly reliant upon cloud-based applications for core business functionality, removing traffic intended for them from the VPN tunnel can dramatically decrease VPN utilization.

As a result, network performance increases across the board. Traffic intended for the corporate network no longer needs to compete for network bandwidth, and cloud-bound traffic is routed directly to its destination, instead of bouncing through the corporate network en route.


Split-Tunnel VPNs Leave Teleworkers Vulnerable

The use of split-tunnel VPNs has the ability to dramatically increase the scalability of the corporate VPN infrastructure. This is essential as a large percentage of employees work from home and exceed the intended maximum capacity of the VPN infrastructure. However, split-tunnel VPNs can provide this increased scalability at the cost of network security. When a teleworker is connected via a split-tunnel VPN, some fraction of their network traffic is being routed directly to the public Internet. This means that this traffic does not benefit from security inspection by the organization’s security infrastructure.

As a result, the probability that a teleworker’s device will be infected with malware increases dramatically. Since teleworkers’ devices are less likely to conform with corporate security standards or have corporate antivirus installed, this infection may go undetected. From the teleworker’s machine, the infection can then spread to the enterprise network via their secure VPN connection. This allows the attacker to masquerade as the employee and gain access to sensitive data or plant additional malware within the corporate network.


SASE Enables Secure, Scalable Telework

Traditional solutions for secure network connectivity, such as VPNs, do not scale well to large, remote workforces. The use of full-tunnel VPNs means that traffic intended for cloud-based infrastructure overwhelms VPN infrastructure, while switching to a split-tunnel model can endanger the security of the teleworkers’ computers and the enterprise network. As remote work becomes more common and more accepted, organizations must adapt by upgrading legacy VPN-based infrastructure for security solutions capable of supporting the modern workforce. One solution, recommended by Gartner, is the secure access service edge (SASE).

SASE combines the advantages of several new technologies. The use of software-defined wide area networking (SD-WAN) technology enables SASE to optimally route network traffic between SASE nodes over multiple transport media. Integration of security solutions, such as a next-generation firewall (NGFW) and secure web gateway (SWG), into the same solution allows security scanning to be performed at the network edge and optimizes interaction between network and security infrastructure. Hosting these solutions on cloud-based infrastructure removes the geographic limitations of physical infrastructure – decreasing network latency – and improves solution scalability and flexibility.


Making the Move to SASE

Transitioning from a VPN-based infrastructure to SASE enables an organization to securely support a much larger remote workforce than is possible with legacy solutions. Additionally, SASE improves network performance by moving security and network routing functionality to the network edge, eliminating the need to route traffic through the enterprise network and increasing the performance and profitability of the remote workforce.


Please enter your comment!
Please enter your name here