Jaimandeep Singh

Cybersecurity Professional.

2 minute read

Cyber Security Thought Series

The security risks associated with split VPN far outweighs its advantages. It violates the basic principle of separation of networks between our highly secure internal corporate networks and the outside insecure internet by providing a conduit for the malicious actors to pivot into the internal networks using proxies/bots on the endpoint devices configured for split VPN functionality.

The sudden onset of the pandemic saw a lot of workforce moving from onsite premises to remote locations. The sudden change in the mode of work did not give enough time to plan and scale up the remote connectivity architecture and infrastructure. We saw the VPNs choking, as more and more workforce connected from the remote locations to access the resources on our internal networks. This put a heavy load on the existing VPN connections and the user experience degraded to such levels where the work was getting hampered.

Our IT departments had to work overtime to come up with solutions. The security vendors came up with the solution which somewhat alleviated the problem of choked internet traffic flowing through the VPNs by offering split VPNS. It did solve the problem to the extent that the internet traffic now flowed through the local ISPs and consequently there was less load on the enterprise VPNs and the user experience improved. This seemingly solved the immediate problem at hand, but introduced its own set of cyber security problems. Some of the notable cybersecurity issues that surfaced were:

  • The security telemetry feeds which were analysed at the SOCs became blind to the external traffic generated by the proxies/bot on the end point devices. It could not distinguish the external traffic to malicious domains and took it as internal traffic originating and destined for the legitimate endpoint devices.

  • In the corporate environments we have lots of checks and balances on what the employees are doing in terms of logging and auditing their activities. With the remote workforce, the centralised security net had broken. With the split VPNs we were putting the internal networks at more risk as employee monitoring was further reduced.

So What’s the solution

Going forward to the zero trust architecture, we can have separate networks based on the identities and the roles of the individuals. The employees can connect to different networks depending upon their roles instead of all of them logging onto the same VPN. The ability to orchestrate multiple VPNs with containerized technologies like docker, should not be a problem for the IT department. To summarize:

In place of split VPN, we can have different VPNs configured for different departments of our workforce.

Once the remote workforce/endpoint is connected to the internal networks, all the activities and traffic generated should flow from the SOCs where it needs to be logged, monitored and audited. Endpoint should not be able to split the traffic between internal and external traffic at the same time.

You May Also Enjoy