Split or Full Tunnel for Remote Access VPN

MitMMitM Member Posts: 622 ■■■■□□□□□□
I was curious what TE members are doing for remote access VPN, split or full tunnel. Also, wondering how many are also using MFA for VPN

I'm currently using GlobalProtect (Palo Alto), with a full tunnel and MFA using user certs. I have a requirement that we must use "Always On", so the VPN connects automatically on external networks. It detects when it is internal.

The main reason for the question is, a few have requested that we switch to OTP instead of certs, but this gets a little tricky. If the user fails to enter the proper OTP, the VPN connection will fail and their internet traffic will go through their internet connection, instead of sending it to our firewall.


  • Options
    gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    Full is more secure, but at the price of convenience. Sometimes users need to print some user crap to local printers, etc. Full tunnel kills that.

    Yeah, MFA is typical these days. The last company I worked for used machine certs as the second factor.

    Always on is always good, as it solves so many problems, like you don't have to publish your SCCM or anti-virus or whatever else servers to the Internet and care about their mutual authentication and encryption in motion, etc. Plus, group policies, which is huge, easy password changes, easier incident response, etc. The back side is it's pricey as you have to maintain a licensing scheme that takes into account that 100% of your remote users may be connected at the same time.

    I would advise against OTP (RSA SecurId? SMS OTP?) in this scenario, primarily based on it being inconvenient. From regulations and compliance viewpoint, AFAIK, there's no such a requirement as PCI DSS and HITRUST or whatever else you have to comply with are usually satisfied with a "factor" no matter what it is.

    If the sponsor of this project is pushy I'd suggest to protect with OTP only the services this sponsor is concerned with. Let's say it is an internal web-site or something -- then require OTP only for the web-site in question. This way you will have all the benefits of "always on" like group policies and all the endpoint software communication AND will have this sponsor satisfied.
  • Options
    MitMMitM Member Posts: 622 ■■■■□□□□□□
    I agree. It's more secure, for sure. You're absolutely right about the local printers. It was one of the biggest complaints

    What's inconvenient about OTP for VPN connections? I've only implemented it for SSL VPNs in the past.
Sign In or Register to comment.