How to minimize the risks of split tunnel VPNs

Split tunnel virtual private networks have some advantages for supporting remote workers connecting to a Windows network, but they come with risks. Here's how to best protect your network.

A split digital tunnel streaming binary code.
Nadla / Getty Images

Many of you are supporting home computers or corporate laptops remotely connected over a virtual private network (VPN) using Remote Desktop. Microsoft recently provided guidance to use a technique called split tunnel VPN. Microsoft is also trialing the Office 365 Network Onboarding Tool check your connectivity and setup with Office 365. You indicate your physical location and then enter your tenant’s name to download the tool. You will need to install .NET Core 3.1.3 to complete the advanced test. Once completed it will report on your use of VPNs, proxy or other connectivity. It will also report on split tunnel VPN use.

Split tunnel VPN security concerns

I see near religious arguments over the use of split tunnel VPNs. Some argue they provide the ability to place the network traffic that is used for maintenance (Windows updating, installation of Click to Run Office 365) over the users’ local connection without introducing more risk. Others say that unless you ensure that all traffic is across the corporate VPN, you can’t inspect the traffic to keep the firm secured.

VPN security concerns come down to how you connect the client or workstation to the network. If you connect a remote client to your network using virtual private networking and do not limit or restrict the client workstation, an infected machine can introduce risks and malware to your network.

Limiting split tunnel VPN security risks

To limit this risk, first evaluate the options your VPN software provides. Multiple VPN solutions might connect remotely to your network: software-based VPNs, often in the form of the native Microsoft VPN software that ships with every version of Windows, or VPN solutions in your firewall hardware. Ask your firewall vendor what options you have to review VPN traffic.

Others argue that anytime you connect any workstation to your corporate network, you need to ensure that the machine is patched to a certain level, has up-to-date antivirus and definitions, and follows other health guidance that your organization requires.

Microsoft provides tools such as Network Access Protection for Windows 7 platforms that allows you to set a policy that machines can only connect to the network if they meet certain minimum standards. For example, you can set up a Network Policy Server (NPS) to ensure that workstations are up to date on patches, have a certain antivirus version or definitions, or other security policies you deem appropriate.

You then set the Network Access Protection (NAP) to allow workstations to connect only if they meet these minimums. For Windows 10 you can use many of the NPS tools in place of NAP. You can also use tools like System Center Configuration Manager (SCCM) or Intune for Windows 10. Alternatively, look again at your firewall vendor to review what options IT provides to review for the health of the Windows 10 clients before they enter your network. You might also look at PacketFence, an open-source platform to provide health review of clients before they connect to your network.

For firms that use Intune, you can use conditional access policy rules to determine if your Windows 10 machines are healthy enough to connect to your network. For example, with conditional access policy rules and config manager you can have the system review whether the computer has the following enabled:

  • BitLocker, to provide encryption for all data stored on the Windows operating system volume.
  • Code Integrity, to validate the integrity of a driver or system file each time it is loaded into memory.
  • Early-launch antimalware (only applies to PCs), to protect computers when they start up and before third-party drivers initialize.
  • Secure boot, to make sure that a PC boots with only software that is trusted by the PC manufacturer.
bradley split vpn Susan Bradley

Setting device health policies

Alternatively, internal intrusion detection system (IDS) and intrusion prevention system (IPS) tools can inspect your traffic, review what is coming in and out of your network, and limit workstation access to specific resources. Security modules such as Carbon Black Endpoint Response, Wazuh, Ossec or even Malwarebytes with Suspicious Activity modules can work with split tunnel setups.

If you have corporate assets at work-from-home locations, have corporate endpoint agents installed on the remote machines so you can monitor or patch them whether they are on or off the VPN. If you must resort to employees using their home computers, you may wish to set up a Remote Desktop Session Host (RDSH) server and offer virtual desktops instead of allowing personal devices to connect to your network via VPN.

Should you be concerned about split tunnel VPNs? Yes, but you should be just as concerned about any resource connecting to your network. Make sure you can review the traffic and react to any threats coming into your network.

Copyright © 2020 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations