Level 2

Description:

Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling allows unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement is implemented in remote devices (e.g., notebook computers, smart phones, and tablets) through configuration settings to disable split tunneling in those devices, and by preventing configuration settings from being readily configurable by users. This requirement is implemented in the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling.


Priority: High


Domain:  SYSTEM AND COMMUNICATIONS PROTECTION (SC) 


CategoryNetwork Security


Services Associated with AWS:

  • AWS Direct Connect
  • AWS VPN
  • AWS Network Firewall
  • Amazon VPC
  • AWS Systems Manager
  • AWS Config
  • Amazon GuardDuty
  • AWS Network Firewall
  • AWS Security Hub

Services Associated with Azure: 

  • Azure Network Security Groups (NSGs)
  • Azure Firewall
  • Azure Virtual Networks (VPNs)
  • Azure Active Directory (Azure AD)
  • Azure Policy


Objective Evidence:

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management  (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate the ""secure practices"" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of Configuration Management Database (CMDB) console
  • Technical: screen shot of configuration settings


Possible Technology Considerations

Secure Baseline Configurations (SBC)


What needs to be answered?

Are controls in place to prevent split tunneling in remote devices, and to mandate VPN use when necessary for business functions? Does the system prevent remote devices that have established connections (e.g., remote laptops) with the system from communicating outside that communications path with resources on uncontrolled/unauthorized networks?

Checks for AWS 

  • Prevention of Split Tunneling

    Description: This check ensures that remote devices are prevented from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks, commonly known as split tunneling.

  • Configuration Settings Check

    Description: This check verifies that the configuration settings of remote devices have been set to disable split tunneling and that they are not readily configurable by users.

    Related AWS Service: AWS Systems Manager, AWS Config

  • Detection of Split Tunneling

    Description: This check ensures that systems are capable of detecting split tunneling or configuration settings that allow split tunneling in remote devices, and prohibiting the connection if split tunneling is in use.

Checks for Azure 

  • Prevention of Split Tunneling
    Description: This policy ensures that remote devices connecting to Azure resources are not allowed to simultaneously establish non-remote connections with organizational systems while communicating via some other connection to resources in external networks. This prevents split tunneling and enhances security by ensuring all traffic flows through the secure VPN connection.
  • Configuration Settings Check
    Description: This policy verifies that the configuration settings of remote devices connecting to Azure resources have been set to disable split tunneling. Additionally, it ensures that these settings cannot be readily configurable by users, further preventing any potential vulnerabilities caused by split tunneling.
  • Detection of Split Tunneling
    Description: This policy ensures that Azure systems are capable of detecting split tunneling or any configuration settings that might allow split tunneling in remote devices. If split tunneling is detected, the policy prohibits the connection, preventing potential unauthorized external connections and bolstering the overall security of the system.


More Details:

Remote access to cloud based system not capable of split tunneling.