Split tunneling

Split tunneling

Split tunneling is a computer networking concept which allows a VPN user to access a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same physical network connection. This connection service is usually facilitated through a program such as a VPN client software application.

For example, suppose a user utilizes a remote access VPN software client connecting to a corporate network using a hotel wireless network. The user with split tunneling enabled is able to connect to file servers, database servers, mail servers and other servers on the corporate network through the VPN connection. In contrast, when the user connects to Internet resources (Web sites, FTP sites, etc), the connection request doesn’t go through the VPN link, it goes through the wireless connection and out the gateway provided by the hotel network.

Advantages

An advantage of using split tunneling is that it alleviates bottlenecks and conserves bandwidth as Internet traffic does not have to pass through the VPN server.

Disadvantages

A disadvantage of this method is that it essentially renders the VPN vulnerable to attack as it is accessible through the public, non-secure network. When split tunneling is enabled, users bypass gateway level security that might be in place within the company infrastructure. For example, if web or content filtering is in place, this is something usually controlled at a gateway level, not the client PC.

Trust Issues

There are many variants of split tunnelling that attempt to address this fundamental trust issue. Often when plain split tunnelling is enabled, datagrams by default will go out the local network interface's default gateway. Only datagrams that are destined for IP networks behind the vpn terminator will go through the tunnel. This violates the principle of least privilege.

Variants and Related Technology

A variant of this split tunnelling is called "inverse" split tunnelling. By default all datagrams enter the tunnel except those destination IPs explicitly allowed by VPN gateway. The criteria for allowing datagrams to exit the local network interface (outside the tunnel) may vary from vendor to vendor (ie: port, service, etc.) This keeps control of network gateways to a centralized policy device such as the VPN terminator. This can be augmented by endpoint policy enforcement technologies such as an interface firewall on the endpoint device's network interface driver, group policy object or anti-malware agent.

This is related in many ways to network access control (NAC).

References

* http://www.isaserver.org/tutorials/2004fixipsectunnel.html


Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать курсовую

Look at other dictionaries:

  • Split tunneling — (раздельное туннелирование) концепция использования компьютерной сети, при которой пользователь VPN одновременно имеет доступ к публичной сети (например Internet) через одно и то же физическое сетевое соединение. При раздельном туннелировании… …   Википедия

  • L2TP — Название: Layer 2 Tunneling Protocol Уровень (по модели OSI): Канальный Семейство: TCP/IP Создан в: 1999 г. Порт/ID: 1701/TCP, 1701/UDP Назначение протокола: построение VPN Спецификация …   Википедия

  • Virtual private network — A virtual private network (VPN) is a computer network in which some of the links between nodes are carried by open connections or virtual circuits in some larger network (e.g., the Internet) instead of by physical wires. The link layer protocols… …   Wikipedia

  • OpenVPN — ‎ Original author(s) James Yonan Developer(s) OpenVPN project / OpenVPN Technologies, Inc. Initial release 1.1.0 / April 10, 2002 …   Wikipedia

  • Virtual Private Network — (deutsch „virtuelles privates Netz“; kurz „VPN“) ist eine Schnittstelle in einem Netzwerk und hat zwei unterschiedliche Bedeutungen. Das konventionelle VPN dient dazu, Teilnehmer eines Netzes an ein anderes Netz zu binden, ohne dass die Netzwerke …   Deutsch Wikipedia

  • PPTP — (англ. Point to Point Tunneling Protocol) туннельный протокол типа точка точка, позволяющий компьютеру устанавливать защищённое соединение с сервером за счёт создания специального туннеля в стандартной, незащищённой сети. PPTP помещает… …   Википедия

  • VPN — технология VPN (англ. Virtual Private Network&# …   Википедия

  • Layer 2 Forwarding Protocol — (L2F) (Протокол эстафетной передачи на втором уровне)  один из протоколов туннелирования, разработанный компанией Cisco Systems для создания виртуальных частных сетей связи через Интернет. L2F не обеспечивает шифрование и конфиденциальность… …   Википедия

  • PPPoE — Стиль этой статьи неэнциклопедичен или нарушает нормы русского языка. Статью следует исправить согласно стилистическим правилам Википедии. PPPoE (англ. Point to point protocol over Ethernet)  сет …   Википедия

  • Cisco Systems VPN Client — Cisco VPN Client on Windows 7. Developer(s) Cisco Systems Stable release Windows 5.0.07.0440 …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”