Remote access services that tunnel traffic, such as SDP or VPN, have different ways of encrypting and routing packets. At the broadest level, is all data encrypted or is only some? And if only some data is being encrypted how do we define which should be?

Full-tunnel

This form of remote access directs all traffic from the device through an encrypted tunnel to the corporate data center. Sending every packet of data back to the corporate network provides IT administrators the same control over the traffic as a device in the office including using a web gateway to filter internet traffic. While this does allow compliance policies to be fully enforced, it has a number of downsides:

  • Cost – requiring all traffic to be routed back to the data center can consume a lot of bandwidth, businesses must pay for this data to be backhauled.
  • Latency – not all of the traffic leaving the device is destined for the corporate data center, a lot is bound for cloud applications or the internet. Forcing traffic to hair-pin at the data center increases latency, this creates a poor experience and can even break some applications.
  • Privacy – users may not be comfortable with detailed information about their web browsing being managed and logged by an IT administrator, this is particularly the case for BYOD or personal devices.

Split-tunnel

Instead of encrypting and routing all of a device’s traffic, split-tunnel only does this for pre-defined traffic. As less traffic is routed back to the corporate data center, this technique offers numerous advantages including consuming less bandwidth and therefore reduces backhauling costs. Additionally, by allowing web traffic to travel directly to its destination, instead of being unnecessarily routed via the corporate data center, split-tunnel avoids adding unnecessary latency and can better preserve user privacy.

There are multiple ways split-tunnel traffic can be routed which determines how the remote access solution performs:

  • Where traffic is routed – There are two ways that traffic can be routed, via a single tunnel or multiple, which direct data to a single or multiple locations respectively. Using only one tunnel sends all allocated traffic down a single encrypted path, whereas multiple tunnels allow traffic to be directed along different paths. Not every application is stored in the same data center, they may be hosted in multiple locations including in the cloud, using multiple tunnels allows traffic to be routed along different paths. Using the shortest path for each application reduces latency and increases performance.
  • Which traffic is routed – Defining which traffic should go via the split-tunnel was originally done with Access Control Lists (ACLs). Administrators use ACLs to define which destination IP address ranges will have their packets sent via the split-tunnel. As you may guess, this is a tedious and time-consuming task, and application or infrastructure changes require the ACLs to be reconfigured. A more modern approach is to use a dynamic split-tunnel, which uses a DNS to define which traffic is routed. DNS uses the hostnames of websites or applications making them much easier for administrators to configure than ACLs.

As described above, there are four possible categories of split-tunnel solutions that are possible, but they are not all equal. Routing traffic to its destination through multiple tunnels with policies defined by a dynamic split-tunnel provides the most granular control over corporate data, producing the best performance for end-users while being the easiest to configure for administrators.

Despite this, some businesses may still prefer full-tunnel remote access solutions because they provide them with the ability to route web traffic via a content filter. However, dynamic split-tunnel technology is also able to provide this functionality, web traffic can also be routed to the DNS which can be used as a Secure Web Gateway to block content.

Implementation

These different technologies are found in many common remote access tools:

  • Traditional VPN – Often these can be deployed as full-tunnel or split-tunnel with policies controlled via ACLs, the architecture of many VPN services means that only a single tunnel configuration can be used. This is useful when all applications live in one data center but is not ideal for battery-powered devices as a full-tunnel VPN can consume battery life very quickly.
  • UEM tunnel – These are usually split-tunnel configurations, as it preserves mobile and laptop battery life far better than full-tunnel. However, often a connector is required meaning only a single tunnel configuration is possible. The design of these services is usually based on traditional VPN and uses ACLs which create complexity.
  • Software-defined perimeter (SDP) – Typically SDP use multiple tunnels to direct data on a per-application basis, helping avoid traffic hairpins. As a more modern converged technology, they are usually integrated with DNS services allowing dynamic split-tunnel configuration, which is much faster and easier for administrators.

Zero Trust Network Access (ZTNA) solutions built on SDP technology can apply their risk policy to traffic routing. This means that if a risk or threat is detected individual application tunnels can be disabled or redirected as appropriate. This gives administrators a high degree of fidelity when designing policies and helps ensure compliance.

Summary

It is clear that per-app tunnels configured via a dynamic split-tunnel is the optimal solution for encrypting and routing corporate traffic, it is more performant than full-tunnel solutions and offers more granular control over corporate data than other split-tunnel configurations. Wandera’s remote working experts can help map out use cases and recommend configurations for business.