Cisco, others, shine a light on VPN split-tunnelling
- 13 May, 2020 07:05
As the work-from-home trend grows due to the Covid-19 pandemic, the need for secure access to enterprise resources continues to grow and with it the demand for ever-more VPN.
For example demand for commercial virtual private networks in the US jumped by 41 per cent between March 13 and March 23, according to research from Top10VPN.com, a VPN research and testing company in the UK.
The VPN market will hit $70 billion by 2026, according to market research and management consulting company Global Market Insights. In an April blog AT&T pointed to a 700 per cent increase in connections to its cloud-based SD-WAN Static Network Based (ANIRA) VPN service.
That increased traffic puts more stress on enterprise VPN infrastructure, but one of the most effective ways to ease that stress is split-tunnelling.
Basically split-tunnelling is a feature that lets customers select specific, enterprise-bound traffic to be sent through a corporate VPN tunnel. The rest goes directly to the Internet Service Provider (ISP) without going through the tunnel.
Otherwise all traffic, even traffic headed for sites on the internet, would go through the VPN, through enterprise security measures and then back out to the internet.The idea is that the VPN infrastructure has to handle less traffic, so it performs better.
Figuring out what traffic can be taken out of the VPN stream can be a challenge that Cisco is trying to address with a relatively recent product. It combines telemetry data gathered by Cisco AnyConnect VPN clients with real-time report generation and dashboard technology from Splunk.
Taken together the product is known as Cisco Endpoint Security Analytics (CESA) and is part of the AnyConnect Network Visibility Module (NVM). Cisco says that until July 1, 2020, CESA trial licences are offered free for 90 days to help IT organisations with surges in remote working.
AnyConnect NVM gathers security information such as unique device ID, device name, process/container names, parent processes, privilege changes, source/destination domains, DNS info and network interfaces that can help customers spot data leakage, unapproved applications or SaaS services, security evasion and malware activity, according to Scott Pope, director, product management and business development for the security technical alliances ecosystem at Cisco.
AnyConnect supports another feature called Dynamic Split Tunnelling, which makes it easy to direct tunnelled traffic by domain name (for example, put all “*webex*.cisco.com” traffic into the split tunnel). Dynamic Split Tunnelling analytics is also supported in CESA.
In a recent blog Pope wrote that utilising CESA data customers can use it to:
- Implement VPN split tunnelling to alleviate VPN capacity constraints without sacrificing security
- Monitor and further optimise traffic traversing an existing split tunnel deployment
- Analyse security behaviour of remote endpoints, users and VPN “top talkers”. This is particularly useful for remote work endpoints that were rapidly deployed with less stringent that normal security compliance testing
“The idea is that with CESA customers can quickly figure out what can be safely put into split tunnels which is of growing importance with the increasing VPN loads many companies are facing,” Pope said.
“There’s some pretty low-hanging fruit customers can send to the internet but then there’s cloud-based applications and other traffic that may not be so obvious, and it’s hard to separate that traffic without knowing what’s coming across the tunnel.”
CESA provides the VPN traffic insight needed to keep tabs on what traffic is going over the split tunnel and also identify the traffic that should be moved back into the corporate tunnel. And the reverse is also true, Pope stated.
“CESA can monitor the corporate tunnel to identify traffic that could be safely moved to the split tunnel. Furthermore, CESA tracks the volume of traffic by application, protocol, port, software process, domain, source/destination, etc,” Pope stated.
“This enables IT orgs to identify high volume applications and data sources and move them to the split tunnel first to make the largest impact on VPN performance with the least amount of effort and configuration.”
In emergency situations, IT organisations are often put in the position of rolling out a high volume of remote workers in a very short time, Pope stated.
“Depending on the situation, normal validation of security oversights for these users might be overlooked to expedite getting business running again. This might mean the user endpoints aren’t on standard IT builds," Pope added.
"Or they don’t have the usual endpoint security used for remote workers. Whatever the situation, rapidly deployed remote working often entails less than perfect remote user/endpoint security and visibility.”
CESA takes the next step by using behavioural analysis to detect threats like malicious insiders, malware droppers and other activity not detectible via file-hash detection. And CESA can be configured to monitor endpoints when they are off the network and when they are on it, giving complete visibility into all endpoint activity, Pope stated.
Security is the biggest challenge when using split tunnels since the data outside the VPN still has to be protected and monitored. It’s a case of knowing what that traffic is and how to increase security on that traffic.
Cisco isn’t the only industry player to advance split tunnelling. Microsoft recent detailed a tool customers can use to evaluate VPN connectivity and split tunnelling via its Office 365 onboarding tool.
That tool now detects use of a VPN and evaluates if the VPN is configured for recommended Office 365 split tunnelling. “With many companies sending employees to work from home, scalable and performant VPN implementation supporting Office 365 is one of the top responsibilities that IT faces,” Microsoft stated.
“For customers who connect their remote worker devices to the corporate network or cloud infrastructure over VPN, Microsoft recommends that the key Office 365 scenarios Microsoft Teams, SharePoint Online and Exchange Online are routed over a VPN split tunnel configuration. This becomes especially important as the first-line strategy to facilitate continued employee productivity during large scale work-from-home events such as the COVID-19 crisis,” Microsoft stated.