Microsoft Windows Server 2003 - Avoid Using Split Tunneling In Your VPN Connections
Operating System(s): Microsoft Windows 2000/XP Professional
Virtual private networking (VPN) protocols allow users to establish a secure tunnel to your internal corporate LAN through the internet. However, a VPN feature called split tunneling can pose a threat to the security of your internal network.
Split tunneling allows the user to connect directly to the internet, surfing the web and accessing other internet resources at the same time he or she is connected to the corporate network through the VPN. This saves bandwidth, since he or she doesn't have to go through the VPN server for internet access.
However, an attacker could take control of the remote computer over the internet, and then access the internal network through the VPN the user is using to connect to the LAN. Because of this possibility, VPN users should be required to have personal firewalls installed on all remote computers that connect to the LAN via a VPN. This can be enforced by policy-based VPN client management such as the VPN-Quarantine (VPN-Q) feature of Microsoft ISA Server 2004 or the managed client software provided by some third-party firewall vendors.