Udostępnij za pośrednictwem


Why Split Tunneling is Not a Security Issue with DirectAccess

(Discuss UAG DirectAccess issues on the TechNet Forums over at https://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag)

As a member of the Anywhere Access Team with a primary focus on UAG DirectAccess (DA), one of the questions that I hear a lot relates to the security of the solution, due to the fact that split tunneling is enabled by default.

If you’re a VPN guy, you are probably aware of the issue of split tunneling. When split tunneling is disabled, the VPN client uses the VPN gateway as its default gateway, so that all off subnet communications must go through the VPN gateway. It also prevents the the VPN clients from potentially routing communications between two networks, such as the client’s network and the corporate network.

For this reason, most experienced VPN admins disable split tunneling by default. This has become a habit for VPN admins and they don’t think twice about it. However, what they gain in security is lost in performance for the corporate Internet connection.

The reason for this is that the VPN client must go through the VPN gateway to access Internet content, so that the request/response path for Internet content is from the VPN client, to the VPN gateway, to an Internet gateway on the corpnet, to the Internet, and then the response is returned using the same path in the opposite direction.

As you can imagine, if you have more than a few VPN clients, this could become a major bottleneck on your Internet bandwidth.

The DA team understands this problem very well. If the DA client connection isn’t highly performant, users will likely be unsatisfied with the solution. The productivity gains you expected will evaporate, as users won’t use DA to connect to the corpnet, and they’ll return to their old inefficient ways of working.

So, DirectAccess by default enables split tunneling. All traffic destined to the corpnet is sent over the DA IPsec tunnels, and all traffic destined for the Internet is sent directly to the Internet over the local interface. This prevents DA clients from bringing the corporate Internet connection to its knees.

However, it has left the issue of potential risks of split tunneling in the minds of admins who are considering DA. One option is to use “force tunneling”. You can find out more about force tunneling at https://technet.microsoft.com/en-us/library/dd637812(WS.10).aspx One of the primary disadvantages of force tunneling is reduced performance, especially in the context of reaching IPv4 only resources.

But this begs the question: is DA split tunneling really a problem? The answer is no.

Why? Because the risks that exist with VPNs, where the machine can act as a router between the Internet and the corporate network is  not valid with DirectAccess. IPsec rules on the UAG server require that traffic be from an authenticated source, and all traffic between the DA client and server is protected with IPsec.

Thus, in the scenario where the DA client might be configured as a router, the source of the traffic isn’t going to be the DA client, and authentication will fail – hence preventing the type of routing that VPN admins are concerned about.

HTH,

Tom

Tom Shinder
Microsoft ISDUA
Anywhere Access Team/UAG DirectAccess

Bookmark and Share

Comments

  • Anonymous
    January 01, 2003
    Ken - regarding NAC and a compromised laptop - that goes back to my SSL inspection issue. IDS is going to see an SSL session and that's it. And suppose the connection goes to a hijacked site, so web filtering doesn't catch it. I can think of many other similar scenarios for hosts on the intranet. Thanks! Tom

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Hi Ken, That is true - but at some point I think we need to move away from "it's possible that Martians will come to Earth and give us cold fusion and then leave in peace" approach to security. :) I can come up with equally unlikely, but possible compromises for clients that are on the intranet - heck, anyone who doesn't do outbound SSL inspection is essentially in a potential "split tunneling" scenario. The key is to weigh the net productivity gain against the likelihood that a certain compromise on a DirectAccess client will be any different that a client on the intranet. And I think the primary point to take home is not that the DirectAccess client is more secure, but just as secure as an "intranet" client, because that intranet client moves on and off the network and modern malware is very comfortable about waiting for an oppotuntity to do what it wants to do. As the recent wikileaks event has taught us - it's the insider threats now that are our biggest security concern. Great conversation! Thanks! Tom

  • Anonymous
    January 01, 2003
    I agree and respectfully disagree in the same time. :) DirectAccess can be the subject of pivot attacks, either directed ones, or sideway ones. Same is true for traditional VPNs(it does not matter if they disable or not split tunneling or not, or "control" it at the gateway level-nice myth-). I wanted for a while to wrote something and bring the split tunneling thing into the Web 2.0/modern era, but did not have time for this. Routing, what routing ? ;) One strength of DirectAccess is that it runs on the client side on Windows 7, the most secure OS to date(this kinda stands in the way of the pivot attacks, if I will manage to finish writing my paper, I might come with some examples). Cheers! Adrian

  • Anonymous
    September 28, 2010
    The comment has been removed

  • Anonymous
    November 18, 2010
    The comment has been removed

  • Anonymous
    January 13, 2011
    The comment has been removed

  • Anonymous
    January 21, 2011
    Tom, What's at issue is that when a machine is connected to two separate networks there is always the possibility it become a bridge if you compromise the machine at a low enough level (and with enough knowledge). Two refutations: Always up to date: Zero-day Compromised corp laptop brought in: NAC. Ken

  • Anonymous
    July 06, 2011
    Just a maybe stupid question, but why is split tunneling not supported with SSTP? My scenario is that I have huge problems getting Direct Access to work, due to a possible bug in SP1 with wildcard certificates from GoDaddy, and plan B was to use SSTP, so I had at least some external connectivity to offer my users. I managed it to work with the unsupported instructions from your college here: blogs.technet.com/.../uag-sstp-split-tunnel.aspx So my question is why is this not supported for SSTP?

  • Anonymous
    September 28, 2011
    The comment has been removed

  • Anonymous
    August 14, 2012
    The DirectAccess devices are not managed before the company has spent significantly in upgrading to IPv6 on the core infrastructure. And then we have the question, how much of the network filtering and IDS/IPS is fully IPv6 ready ? Running IPv6 is a risk today. Malware on a PC working as a store and forward switch / router will work fine over DirectAccess. I see DirectAccess as a way to push IPv6, and not much more. Unless you have a need for IPv6 today, then wait, and maybe some other IPv6 VPN will be the dominant technology.

  • Anonymous
    September 28, 2012
    Good Day Tom; How does split tunneling reduce the "pivot" attack risk from a comprimised host? Let's say we have split tunneling enabled, and a host using this becomes comprimised from an IE zero-day exploit; the Command and Control traffic from this comprimised device is now traversing the internet and will have access to the tunnel and host contents will it not?

  • Anonymous
    June 29, 2014
    The comment has been removed