Client VPN Tunnelling Options- VPN Tutorial
There are generally three tunnelling options when establishing a connection from a remote client, as detailed below:
Tunnel everything
Tunneling everything, which is also known as VPN Forced Tunnel, means that all traffic at a client will be encrypted and sent through the IPsec tunnel. This includes absolutely everything including internet traffic and any cloud services.
Tunnel everything apart from the local area network
Using this option, everything will be encrypted and sent through the VPN tunnel unless it is traffic for your local network such as a local network printer in your home network.
Split Tunnelling
In this setup, any traffic destined to your organisation corporate resources will be encrypted and will use a VPN tunnel connection between the client and corporate VPN device. However, any other traffic such as when you browse the web, will be a direct connection to the internet without it traversing a VPN device, and this is where the name split tunnelling came from.
Split tunnelling refers to all traffic on the remote client will traverse the VPN connection, with the exception of internet traffic. Traffic to the general internet will not be tunnelled over the VPN connection, instead, this will be a direct connection. This improves performance and response times. However, split tunnelling does introduce security concerns, as with split tunnelling the coportae remote device is not protected, and there is an open pathway from the internet to the corporate LAN via the remote client's device\laptop. This means if the remote device has been infected, a criminal can easily access the corporate LAN via the compromised device. On the other hand, it also means the end user is not hogging the organisation's internet bandwidth.
Historically the default setting and most secure option has been to tunnel all traffic through the coporate VPN device. With this option there is going to be a performance impact and users will experience will be slower as all traffic will be traversing through the IPsec tunnel through the corporate VPN gateway. This means each packet will be appended with all of the usual IPsec security headers added to it, and With the VPN gateway undertaking all of the different layers of security checks such as web filtering, anti-virus scanning, verification of sensitive data leakaage amongst other secutiy controls, it has slowly started to become less a favourable option.
Split Tunnelling and Cloud Services
Today, with the growth of cloud services, tunnelling all traffic is becoming an issue as customers are experiencing performance delays, especially when it comes to performance sensitive cloud applications. Due to this reason split tunnelling is becoming the preferred choice.
Split Tunnelling with Exceptions
For sensitive organisations, who still want to force as much traffic as possible over the VPN tunnel are able to implement an alternative option where specific traffic can connect directly to particular addresses such as a cloud service, and everything else would still route over the VPN tunnel. This option provides great flexibility and offers best of both worlds, which is a nice balance between security and performance.
All major firewall IPsec clients such as the likes of Palo Alto, Fortigate, Cisco, Sonicwall, Juniper, Mcafee, Check Point all support the use of split tunnelling.
Further Reading
Wikipedia's guide to VPN