Split Tunneling: What is it

What is Split Tunneling?  For that matter, What is Tunneling?  Tunneling is a phrase that IT people use to describe the
encryption and packaging of data for transmission through the internet.  Please refer to the ‘Romantic’ view of how a VPN works.    As you can see, the ‘tunnel’ is a path through the Internet. You can also see the green lines on either side that connect the PCs to the VPN devices.  These green lines represent a protected or ‘trusted’ environment or network.  The encrypted tunnel extends the protected networks on either side through the red un-trusted internet.  The lines drawing the tunnel will sometimes be dotted in various diagrams.

This is a hint that the ‘tunnel’ is not an accurate view of reality and is only intended to be a representation.  Anyway, this provides a nice clean and simple ten thousand foot view of what is going on.    This is a more realistic view of what is going on.  Please note that there is no ‘tunnel’.  The Internet is built the way it is built, and there is no way to get from point A to point B without going through all the junctions that make up the Internet.  The internet is a collection of connected networks and routing equipment, nothing more; and none of which can be trusted.  What is really happening is that plain data, represented by the open letters, is sent through a VPN device in order to get across the internet.

The VPN device knows where the data (letter) is going and it packages and encrypts the data accordingly (letter in envelope).  The VPN device is programmed with knowledge of the other VPN device in the form of a common set of encryption, authentication, and IP addressing rules.  These rules shape the envelope to something the other end will accept and de-encrypt correctly.  The Encrypted data bounces around the internet from point A to point B just like any other data would do; the only difference being that this data is encrypted.  When the package gets to the ‘point B’ VPN device, it unpacks the letter, de-encrypts it, and forwards it to the recipient    So, a ‘tunnel’ is a nice clean way to represent the transmission of encrypted data from point A to point B.    Now, in order to move into split tunnels, you need to imagine that one of the two ends in the picture above is a PC at someone’s home that is using a VPN software client rather than a VPN appliance (VPN device).
Split tunneling can happen with VPN hardware appliances, but it is a bit more unlikely.  You would have to go out of your way to create the split tunnel.

A VPN client on a laptop or home PC, however, is a prime candidate for split tunneling.    Here, a home user has a VPN software client that connects to the corporate network via the VPN device at corporate.  This is set up in a very similar way as the previous diagram.  The only difference is that software is used to create the VPN rather than hardware.  The home user can connect to corporate resources through the VPN ‘tunnel’ and can surf web sites and transact Internet commerce directly through the local internet connection.  The problem is that the home user is connected directly to the public Internet and the private corporate network at the same time.  What if the home user gets hacked into and someone plants a virus, or a Trojan Horse on the PC, or even worse, gains control of the PC directly.  That PC is now directly connected to and trusted by the corporation.  A home PC is not protected like the corporate network is.  A system of firewalls and intrusion detectors worth hundreds of thousands of dollars is in place to protect the corporate network.  What is in place to protect the home PC?  Nothing?    A Split Tunnel occurs on a PC that has a VPN tunnel to the corporation and a usable local internet connection at the same time.  The ‘Split’ refers to the fact that only a part of the internet connection is used for the VPN.  If the PC was only allowed to access the VPN (corporate network) then the tunnel would not be split.

The way to ‘un-Split’ the VPN tunnel is to make sure that 100% of the traffic from the home user goes through the VPN to the corporation when the VPN client is active and that 100% of the traffic from the home user goes to the internet when the client if off.  This way, if the PC is hacked into, the hacker would get ‘knocked off’ when the VPN is active, and therefore could not do anything actively to the corporate network.  Of course, viruses can happen, and other passive attacks can be left on the home PC, but this is no different from non-VPN technologies.  At the very least, you are not leaving the door wide open for them to get in.    Why would people use split tunnels?  Well, maybe the corporation wants to let people use the internet and the corporate network at the same time.  The only secure way to do this is to force every home user to go through the VPN and surf the Internet from the corporate Internet connection.  This may not be feasible.  Home users would come in from the internet (VPN) and then go back out the same connection to surf.  It’s doubling up usage of the corporate Internet connection, and it’s pretty wasteful and slow.  To do it the other way, a corporation would have to train everyone even more on how and when to use the VPN client.  The users would then know when to shut it off and when to turn it on.  Even so, there would be many calls to the help desk.  Some corporations find it to be an easier cure to just let the users split tunnel.

Configure the VPN client to only send corporate-bound data through VPN and let them surf the Internet from home at the same time.  This cure will however prove to be poisonous when the first home user is used by a hacker to redecorate the corporate servers that the home user had access to.