DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Split tunneling might be desirable by remote users to communicate with local system
resources such as printers or file servers. However, split tunneling allows unauthorized
external connections, making the system more vulnerable to attack and to exfiltration of
organizational information. This requirement is implemented in remote devices (e.g.,
notebook computers, smart phones, and tablets) through configuration settings to disable
split tunneling in those devices, and by preventing configuration settings from being readily
configurable by users. This requirement is implemented in the system by the detection of
split tunneling (or of configuration settings that allow split tunneling) in the remote device,
and by prohibiting the connection if the remote device is using split tunneling.
CMMC CLARIFICATION
Split tunneling for a remote user utilizes two connections: accessing resources on the
organization’s network via a VPN and simultaneously accessing an external network such as
the public network or the Internet. Split tunneling introduces a vulnerability where an open
unencrypted connection from the public network could allow an adversary to access
resources on the network. As a mitigation strategy, the split tunneling setting should be
disabled on all devices so that all traffic, including traffic for external networks or the
Internet, goes through the organization’s VPN.
Example
You are an IT administrator at your organization responsible for configuring the network to
disallow remote users from using split tunneling. You perform a review of the configuration
of remote user laptops. You discover that remote users are able to access files, email,
database and other services through the organization’s VPN connection. At the same time,
remote users are able to access resources on the Internet through their connection to the
Internet. You change the hardening procedures for the company’s laptops to include
changing the configuration setting to disable split tunneling. You test a laptop that has had
the new hardening procedures applied and verify that all traffic from the laptop is now
routed through the VPN connection.
References
• NIST SP 800-171 Rev 1 3.13.7
• CIS Controls v7.1 12.12
• NIST CSF v1.1 PR.AC-3
• NIST SP 800-53 Rev 4 SC-7(7)