SPLIT TUNNEL
Split tunneling is a function where the VPN gateway admin decides which traffic the client pushes through the VPN tunnel while the rest goes straight to the Internet (non-tunneled). As a simple example, if your corporate network uses the following IP space:
10.1.1.0 /24
10.1.2.0 /24
10.1.3.0 /24
and the VPN gateway admin decides that the VPN client should talk to these networks, but everything else (such as Internet-destined traffic) doesn't need to route through the corporate network via the VPN tunnel, at connect time the VPN client receives a policy which updates the client's routing table to route traffic destined for these three networks through the tunnel. Any traffic destined for networks outside of this range goes directly out of the physical interface.
There are advantages and disadvantages to split-tunneling. An advantage is that Internet connections (or traffic to any non-defined networks) go direct and increases performance and there's less overhead since there's less traffic that needs to go through the tunnel and thus through the corporate network. The disadvantage is that the IT admin can't perform packet inspection / scrub web traffic and filter potentially harmful traffic (assuming the devices which perform those functions exist on the corporate network). Another disadvantage is that you can't force users to route through an internal proxy which might authenticate users to get to the Internet, thus controlling the user's Internet experience by a defined company security policy.
No comments:
Post a Comment