What are the main split tunneling security risks, and how can you prevent them?

What split tunneling security risks should you be aware of?

Nearly every split tunneling security risk can be chalked up to an improperly set up split tunnel or user carelessness — especially if employees are using split tunneling to access the web for personal reasons while connected to a corporate virtual private network. Here are the most common risks that you should be aware of before you enable split tunneling.

Exposing sensitive data

The biggest split tunneling security risk is also the simplest one — unencrypted internet traffic outside the secure VPN tunnel may be read by anyone monitoring your connection, including your internet service provider and hackers. If you’re not careful, you could accidentally mix sensitive data requests in with unencrypted traffic, potentially leading to a data breach.

You should be particularly wary of data exposure when using the same app for both personal and work purposes. The most common culprits are web browsers, with many remote workers keeping personal services open right next to their business Google Docs accounts or other corporate resources. By using split tunneling to make their browser exempt from corporate VPN limitations, remote users are putting both themselves and their company at risk.

Bypassing corporate security

Businesses often set up complex security measures to protect their infrastructure from unauthorized access. Setting up a virtual private network is the key part of the puzzle — by forcing all network traffic through a secure remote VPN server, the organization can concentrate its defenses in one spot.

Split tunneling actively subverts many of these security measures. For example, your company may be deliberately routing traffic through a private DNS (short for “Domain Name System”) setup to automatically block access to known phishing and malware-hosting websites — so by using VPN split tunneling to reach the latter, you could be putting the whole corporate network in danger.

Giving attackers a way in

By going off grid, you’re not only bypassing static security measures — you’re also hidingt your online activity from the eyes of your company’s cybersecurity experts. IT staff continuously monitor network traffic for anomalies, using sophisticated intrusion detection systems (IDS) and intrusion prevention systems (IPS) to identify potential cyberattacks.

When you use split tunneling, some of your internet traffic escapes this oversight. If hackers were to compromise your device through these channels, you’d become a Trojan horse to the rest of the organization — a means for criminals to infiltrate the corporate network and steal valuable data.

Allowing latent malware to take root

Malware rarely takes obvious action as soon as you download it — in most cases, it quietly works behind the scenes to take root. Once the infection of the end-user’s device is complete, the malware begins lateral movement across the network following instructions from a command and control server.

If all your traffic is routed through a corporate VPN, your organization’s cybersecurity measures may be able to detect this traffic to and from the attacker’s servers, alerting them to the cyberattack. But if you accidentally enable split tunneling for an infected app, the hacker would be able to operate beneath notice.

Failing to comply with regulations

In some cases, split tunneling may put your company in danger even when there’s very little risk of data theft. Companies must follow stringent data protection regulations to operate in certain markets, including ensuring adequate end-point security when employees work remotely. Using split tunneling to create unauthorized exceptions may lead to your organization being fined for failing to meet its obligations.

Real example of split tunneling security risks

To illustrate how split tunneling security risks materialize, let’s use a real scenario that many employees have likely encountered in the past — doing a little work over lunch break.

It’s noon, and Alice is feeling a mite peckish. Unfortunately, she hasn’t finished compiling an important report that’s due in a few hours. Alice decides to take her work laptop with her and finish the report while connected to a nearby cafe’s free Wi-Fi hotspot.

To get the internal data for her report, Alice connects to her company’s VPN. This secures her connection, preventing anyone lurking on the cafe’s Wi-Fi network from spying on her online traffic. While the data is being transferred, Alice figures she’ll do some online shopping, but there’s a catch — her corporate VPN connection is very restrictive, automatically blocking access to her favorite e-shop.

Alice decides to get the best of both worlds — she uses one browser to work on her report, leaving it protected by an encrypted VPN connection, and creates a split tunnel for a second browser to access e-shops. While clever, this solution immediately exposes Alice to several serious security risks.

First, if Alice visits an e-shop that doesn’t use HTTPS, criminals monitoring the cafe’s Wi-Fi network could intercept her traffic to and from the website. Second, the e-shops she’s visiting may have been blocked by her corporate VPN for security reasons — by stumbling into a malicious website, Alice could be lured into downloading infected files or become a victim of drive-by downloading. In either case, Alice’s work computer would be compromised, giving attackers a way into her company’s secure network.

Why use split tunneling?

VPN split tunneling offers several important advantages, even if you factor in the risks. Here are the main reasons why VPNs support split tunneling:

• Conserving VPN bandwidth: Even the best corporate VPN will become congested during peak hours — and if your enterprise’s VPN connection is metered, routing everything through paid VPN servers will quickly exhaust your data plan and leave you paying through the nose. In these cases, VPN split tunneling is a practical compromise between cost, accessibility, and security, allowing companies to provide secure remote access to their internal resources without overloading their IT infrastructure.
• Using LAN services: VPN encryption doesn’t always play nice with local area networks (LAN). In some cases, using a VPN will outright block LAN connections to printers, scanners, or other devices. With split tunneling enabled, you can freely access local resources while retaining secure access to your organization’s remote servers.
• Enabling “anywhere operations”: VPN split tunneling offers great flexibility to remote workers, allowing firms to hire the best talent regardless of the person’s geographical location. Properly training employees in safe split tunneling practices lets them work from anywhere while maintaining their own private digital life.
• Enjoying better speed for gaming and streaming: So far, we have focused mainly on split tunneling and VPN benefits for remote workers — but the truth is, VPN split tunneling has a lot to offer even to casual internet users. All VPNs slow down your connection speed due to data encryption and rerouting (although the slowdown is usually imperceptible with the fastest VPNs using modern VPN protocols), potentially leading to stream buffering and in-game lag. With a properly set up split tunnel, speed-hungry apps can enjoy direct access to the internet while the rest of your online traffic is shielded by a VPN.

How to minimize split tunneling security risks

The key to minimizing split tunneling security risks is following good online hygiene while you’re exploring the internet. First, only let trusted apps access the internet directly. Traffic from apps that you download from unverified sources could open you up to exploits and allow attackers to infiltrate your computer. These threats could be intercepted and neutralized by corporate VPN security.

Second, stick to tried and trusted websites that use HTTPS encryption. Shady websites may tempt you with free file downloads, but they’re likely to throw in malware or spyware as a bonus. In addition, make sure that you only visit websites without VPN protection over a secure connection like your home network — exploring the web on public Wi-Fi networks is very dangerous.

Finally, learn how different VPN split tunneling options work. For example, inverse split tunneling only encrypts the traffic of selected apps, letting the rest access the internet directly by default. Any new app would have to be added to your VPN connection manually, leaving you exposed if you forget — or if the app is installed without your knowledge. For these reasons, we don’t recommend using inverse split tunneling on work devices.