WFH: Security Implications and Considerations of VPN Split-Tunneling

No Gravatar

Cyber-security underpins many facets of our life.  The COVID-19 pandemic that has affected the world is forcing large enterprises and other organizations to quickly cobble together solutions that will enable their employees to keep working from home (WFH).  In many instances, there has been a rapid scale up of WFH employees from a “normal” average of VPN-ed users of around 5% / day, to now the opposite, where the number jumped to 95% users / day.  This surge of WFH network traffic has the pandemic revealing legacy VPNs’ stress points and limitations. As a result, many VPN infrastructures are overwhelmed; leaving many employees to enjoy “paid vacations” as they are unable to access the data and documents needed to carry out their jobs properly.

To ease the pressure on the VPN bottleneck,  many organizations are forced to use the approach of “split-tunneling”, to prevent service outages and performance degradations.  The concept of split-tunneling is simply this – the VPN client installed on the WFH employees’ devices will only direct traffic that is bound for internal business applications through the VPN tunnel while other traffic would always go directly out through the WFH’s home Internet connection.  The reasoning is simple – for example, if an organization’s egress bandwidth to the Internet is 100Mbps, were split tunneling not deployed, the same organization might require 200Mbps to support this new WFH model.  

The rationale is hence business-driven: “split-tunneling”, that many organizations are using, lightens the load on the infrastructure currently in place; without which, supporting this new WFH norm might not be possible.  However, doing so has introduced very severe cyber-security vulnerabilities.

Unlike in a corporate setting, where organizations have spent a lot of money implementing solutions like EDR / MDR/ Sandboxes, Network Traffic Analyzers, Firewalls, NGFW, etc., in a WFH environment, most home users do not have these security pieces in place.  Many do not even have a decent firewall protecting their home networks.  Thus, when split-tunneling is utilized, where the users’ normal, non-business traffic, such as web-browsing, access to external applications, etc. are NOT sent through the VPN tunnel, this traffic is left open and exposed to all of the security vulnerabilities that come with unsecured internet access .  The non-VPN traffic thus leaves these devices and endpoints open to whatever malware is out there.  

As observed by many industries and government agencies, there are lots of new threats ranging from COVID-19-themed ransomware attacks, weaponized URLs, and scam campaigns designed to steal employee credentials or compromise assets almost indiscriminately.  Any of these could quickly and easily lead to severe cybersecurity breaches.

Thus the dilemma we are facing is: Should organizations enable more workers to utilize the limited resources through split-tunneling even though it introduces severe cyber-security vulnerabilities?

Unfortunately, during this highly stressful time, most organizations are simply happy to accept whatever reliable connectivity that they can access, and in so doing, possibly compromising their corporate security posture in the process.  The upside is that they have connectivity for their growing numbers of WFH employees; the downside is that they are without proper security in place to protect those WFH employees who are working outside the protection of the corporate fortress.  To add to this, by using methods such as split-tunneling they may not actually be in compliance with regulations meant to protect their businesses.

We believe that enterprises and government agencies that are currently facing the challenges of increasing their remote and WFH users should reconsider this split-tunneling setup so as to avoid leaving WFH computing devices unprotected. 

There are several strategies to consider:

  • First, you may consider directing all internet traffic of your WFH devices through the corporate VPN tunnel;
  • Second, if it is not feasible to tunnel all traffic, you should at least identify those VIP computing devices, such as those containing or accessing highly confidential information, and have their traffic fully tunneled;
  • Third, deploy real-time threat prevention solutions at the cloud end of your VPN infrastructure. For example, you should consider installing a network-based anti-malware solution such as the Wedge Absolute Real-time Protection (WedgeARP) platform. With its built-in automated AI and Machine-learning, WedgeARP can detect and block all malware (even zero-day and never-before-seen malware) in real-time;
  • Fourth, consider using a public cloud facility, such as Microsoft Azure or Amazon AWS, as an overflow buffer for your VPN infrastructure.  For government agencies, healthcare, and financial institutions, you need to make sure such public cloud services are certified with all of the required GRC compliances.

To learn more about these strategies, feel free to contact us at: info@wedgenetworks.com


About Wedge Co-founder, CEO & CTO

Hongwen Zhang, Co-founder, Chief Executive Officer & Chief Technical Officer Co-founder of Wedge Networks, Inc., Dr. Zhang previously co-founded the 24C Group Inc., which pioneered the first digital receipts infrastructure for secure electronic commerce, and was a principal of Servidium Inc., a global leader in agile development methodology. He holds a Ph.D. in Computer Science and a M.Sc. in Computer Engineering. Throughout his 25+ years career and leadership in the enterprise software industry, Dr. Zhang has been instrumental in launching several commercially successful cyber security and safety products into the global market. This has resulted in successful customer adoptions; from his involvement in the Digital Receipt Infrastructure (with the 24C Group, and later AxWay), through his work with companies such as Valmet/Telvent (now Schneider), and Servidium (acquired by Thought Works Inc.). Dr. Zhang served as the Chair of the Metro Ethernet Forum’s (MEF) Security-as-a-Service working group, which defined the practices of Managed Security Service Providers (MSSPs) for many of the largest telecom service providers in the world. He is a well-respected speaker and writer in the areas of security and cloud computing. As a co-founder of Wedge Networks, Dr. Zhang has led the design, implementation, and launch of the firm’s patented, award-winning Deep Content Inspection and Security Services Orchestration platform.
This entry was posted in Industry News, Latest Security News, Wedge News and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Before you submit form:
Human test by Not Captcha