I have seen comments in various places about not routing everything from the client through the corp vpn because it becomes a bottleneck for things like zoom meetings.
But this seems like the easiest thing to setup. And we have less than 50 people at the company for now. Should I be considering not forcing all traffic through the vpn(when they have it on)? And if so… how? Right now our endpoints are public and we use ip whitelisting. So forcing all traffic through the vpn means I just have to whitelist the VPN. Doing selective traffic I assume means I have to somehow tell the client what to send to the VPN and what not to…
Edit: if you are reading this, there is a lot of gatekeeping in this subredit, so don’t ignore the downvoted questions. There are some very informative answers right after negative karma questions.
my summary of the responses: A fair number of people think ZTNA (zero trust network access) is the answer. But most of those also are advocating on spending for software to help lock down the interfaces… which for us isn’t an option. Aside from that, the other common answer is a split tunneling vpn. The only challenge here is you have to have a way to identify all the things you want to go through the tunnel. That may be easy or hard depending on what you already have setup internally. Overall, I think the right answer depends on your user base, size of company, and the amount of money you can spend to make it as secure as possible.
A split tunnel vpn is just as easy to setup.
Bottleneck for zoom meetings and the like, but also a source of extra latency and packet loss. Calling is very sensitive to latency and jitter and stuffing everything down the tunnel will increase both dramatically. Split tunnel is the way to go these days.
Should I be considering not forcing all traffic through the vpn?
This really seems like a 2000’s way of doing things. The whole modern model of working is supposed to mean phasing out needing a “corporate VPN”.
Good endpoint management shouldn’t need VPN. People complaining desktops don’t get patches without an internal WSUS server should look at InTune for example.
That depends on your security posture.
We disable split tunneling of our cisco any connect vpn. If you connect to the vpn all the traffic goes through the vpn and our layers of protection and monitoring. Does it cause some issues, sometimes. We made a business decision that pros outweigh the cons and we don’t allow split tunneling.
If they can work without VPN, don’t force traffic there. Invest in off internal network protection like Cisco Umbrella.
I feel like this was posted to the wrong sub. /r shittysystemadmin
VPN is dead, except for very specific use cases. Think about your end user experience, set up zero trust and control access to resources through endpoint management and your IDP. Even in a small shop, its easier to maintain and scale.
VPNs are kind of the old way to do things. But, from a security perspective, if you do use VPNs, you should not allow split tunnels unless you only have managed corporate assets or verified safe systems connecting. This is because your users will invariably not have AV on their device, remain connected to the corporate VPN, then go do their porn searches. Infected endpoints can then easily spread laterally over the VPN, especially if the network isn’t segmented. Security in layers.
Depends on the traffic and application. We split tunnel.
We have two links - MPLS for VoIP/video, internet for everything else. Both terminate within our Azure environment and pass through our sw firewall, but mpls will pass through to our head office DC, where our VoIP servers are, and then if needed out to the internet.
We also have enough bandwidth from our firewall and Azure to cover all site traffic, so much of a muchness
Send most traffic through VPN, but cloud solutions? Send out the front door (o365, teams, and such)
Split tunnel is usually implemented as only sending traffic to certain subnets over the VPN, and everything else goes directly over the internet.
Full tunnel is preferable I think, but it does require the VPN server to have a connection that’s good enough for it.
Consider that your remote user VPN doesn’t have to be on premises. You can host it somewhere else, either on generic hosting or with a VPN SaaS provider. That way all remote user traffic could go through your VPN and you can put controls in place there (eg web filtering), but only traffic to on-prem servers needs to go through the office’s internet connection.
Split tunnelling with forced internal DNS might be the way if you need the VPN at all. Simply controlling destinations could also be achieved with MDE if you operate in the MS realm.
Split tunnel represents a significant security risk if you have gear that protects your systems. If you allow split tunnel you lose those protections, allow people to visit naughty web sites, etc. all from allowing them to bypass things. But without it you’ll have issues with functionality with video traffic. If your technology allows it then only allow split tunneling of specific traffic. We use a firewall device where we allow split tunneling for specific traffic…Goto, WebEx, Zoom, etc. and everything else is NOT. This means the VPN client has to be smart enough to get this config from the VPN server.
There will be a lot of people with opinions on this and do it this way or that way. The first question is do you have any risks or grc requirements that require you to have certain controls? Does this meet those or provide compensating controls? Then comes the questions of network layout and architecture. Are there bandwidth constraints or impact to quality if done a specific way. There’s a ton of different ways to handle this and it’s all informed by your needs
Forcing it back to the home base for what purpose?
Inspecting traffic? DLP? Those are valid reasons.
I’m my case, my company does this and most, with a few exceptions, of the services we use are cloud-based. O365, Salesforce, and only a few are on an inside protected network (people soft for example).
Aside from wanting to DLP scan my actions, or monitor my web usage, there’s zero point to it.
Now. Otoh, if you have a bunch of in-house developed apps that live in a corporate data center, and they are not open to the world, and most of the users spend most of their time connected, that’s a different scenario.
Split tunnel unless you have L7 filters in the firewall. But today cisco, zcaler etc have separate services in their clients to secure the internet trafic which is a better option.
Also exceptions in IP-ranges that should not go through the tunnel. Like Office 365 and zoom. That is also something to consider if you are tunneling all the traffic.
Basically sounds like you want some sort of selective split tunnel where you can specific specific routes & addresses to the go through the VPN and everything else not, right?
You might check out Twingate, which is the only thing off the top of my head that can do this. It works opposite to how most split tunnel configs work (which are exclusion based). Personally use it on my homelab and have recommended it to a few companies. Works really well.
You do lose some visibility/filtering by not running everything through the VPN, but sounds like you’re probably not doing that anyway.