Description:

Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling allows unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement is implemented in remote devices (e.g., notebook computers, smart phones, and tablets) through configuration settings to disable split tunneling in those devices, and by preventing configuration settings from being readily configurable by users. This requirement is implemented in the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling.


Priority: High


CategoryNetwork Security


Services Associated with AWS:

  1. AWS Direct Connect
  2. AWS VPN
  3. AWS Network Firewall
  4. Amazon VPC
  5. AWS Systems Manager
  6. AWS Config
  7. Amazon GuardDuty
  8. AWS Network Firewall
  9. AWS Security Hub


Objective Evidence:

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management  (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate the ""secure practices"" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of Configuration Management Database (CMDB) console
  • Technical: screen shot of configuration settings


Possible Technology Considerations

Secure Baseline Configurations (SBC)


What needs to be answered?

Are controls in place to prevent split tunneling in remote devices, and to mandate VPN use when necessary for business functions? Does the system prevent remote devices that have established connections (e.g., remote laptops) with the system from communicating outside that communications path with resources on uncontrolled/unauthorized networks?

  • Prevention of Split Tunneling

    Description: This check ensures that remote devices are prevented from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks, commonly known as split tunneling.

  • Configuration Settings Check

    Description: This check verifies that the configuration settings of remote devices have been set to disable split tunneling and that they are not readily configurable by users.

    Related AWS Service: AWS Systems Manager, AWS Config

  • Detection of Split Tunneling

    Description: This check ensures that systems are capable of detecting split tunneling or configuration settings that allow split tunneling in remote devices, and prohibiting the connection if split tunneling is in use.

More Details:

Remote access to cloud based system not capable of split tunneling.