Continue your mission
VPN split tunneling routes only corporate traffic through the VPN while internet traffic bypasses security controls, creating risks of endpoint compromise and network bridging.
VPN split tunneling is a network configuration that routes only specific traffic through the encrypted VPN tunnel while allowing other traffic to access the internet directly through the local network connection. While split tunneling improves performance and reduces VPN bandwidth consumption, it introduces security risks by creating a dual-homed connection that can bypass corporate security controls and expose the endpoint to direct internet threats.
In full tunnel VPN mode, all traffic from the endpoint traverses the VPN tunnel to the corporate network, where it passes through firewalls, proxies, and security monitoring before reaching its destination. Split tunneling modifies the routing table so that only traffic destined for corporate subnets enters the tunnel. Internet-bound traffic exits directly through the user's local internet connection, bypassing all corporate network security controls. Inverse split tunneling routes all traffic through the tunnel except specified destinations like video conferencing or cloud services. Dynamic split tunneling makes routing decisions based on DNS resolution, directing traffic to known cloud services directly while tunneling everything else. The risk manifests when an attacker compromises the endpoint through the unprotected local connection and then pivots through the VPN tunnel into the corporate network, using the endpoint as a bridge between the internet and internal resources.
Split tunneling creates a direct path between the unprotected internet and the corporate network through the user's device. Malware downloaded through the direct internet connection can access internal resources via the active VPN tunnel. DNS leaks can expose which internal resources the user accesses. Man-in-the-middle attacks on the local network can intercept credentials for internet-facing services. The performance benefits of split tunneling must be weighed against these risks, especially for users handling sensitive data or accessing critical systems.
CDA addresses VPN split tunneling within the Vulnerability and Surface Defense domain as a risk assessment topic. Our missions evaluate split tunneling policies, test for DNS leaks and routing table vulnerabilities, assess endpoint security controls that compensate for split tunneling risks, and help organizations make informed decisions about tunnel configuration based on their threat model.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.