Forcing all remote network communications to go through a corporate virtual private network (VPN) can quickly lead to performance bottlenecks. And they get worse when security teams use the same VPN to push out operating system patches.
A well-configured split-tunnel VPN solution where users can directly access patches and other whitelisted resources will reduce overall strain and increase the responsiveness of internet-based applications for your remote workforce.
The security team for a large, geographically dispersed automotive services organization is worried about saturating its VPN, now that employees have moved from core offices to work-from-home locations during the COVID-19 pandemic. The team’s primary concern revolves around keeping remote systems up-to-date on security patches. The current process relies on systems receiving packages from Microsoft System Center Configuration Manager (SCCM) servers in core locations, but having all devices routed back through the VPN could over-saturate it. Specifically, the team asks:
- Is it viable for employees to get patches over their internet connection and not the VPN?
The historic recommendation for remote work was to force all network traffic to go through the corporate VPN tunnel. This reduces the risk associated with those systems because they are subject to the same network-based controls (web proxies, data loss prevention solutions, URL filtering, etc.) as systems in central offices. It also helps reduce the risk of exposing or bridging the corporate network with less secure networks.
However, the forced move to remote work due to COVID-19 is making many organizations rethink this strategy. Having everything go through the VPN not only puts strain on the VPN, but it also could reduce the productivity of the remote workforce, especially if the organization leverages software-as-a-service (SaaS) applications.
With a split VPN, the remote client uses the VPN to access systems and services located on the corporate network but can access the internet directly (without going through the VPN). However, if the remote client uses the split VPN but is also configured to only route specific, well-controlled requests to the internet, the risk to the corporate network is greatly reduced. With such a setup, most internet traffic still follows the forced VPN method and is in compliance with all existing controls. Only traffic to and from specific applications, pre-approved by the organization, goes through less secure networks.
In addition, an exception-based split tunnel can be modified in increments, adding more approved sites as employees find the need to leverage different resources. One example to consider early on is access to Office 365 or other cloud-based productivity suite. Another, potentially more pressing example is to allow remote clients to get system updates from internet-based sources, while still being managed from an internal configuration management or patching platform. This is a feasible solution and should be considered, assuming your configuration management/patching system lets clients use internet-based locations.
Regardless of what application or process you’re trying to offload from the VPN, before any changes are made, you should conduct a review of the controls in place on remote systems. Only after that is completed, can you determine if the proposed changes and exclusions to the existing forced tunnel configuration are acceptable when weighed against the drop in VPN utilization. Issues to consider here include whether:
- DLP and anti-malware controls come from a proxy or single edge device.
- The SaaS applications are well trusted.
- The controls built into the SaaS applications are suitable.
- The SaaS applications leverage multiple URLs or if the URLs change often.
- The external networks change often without any notice.
The first three items all cover the same general set of information: determining if the purpose of the internet-based application is understood and whether direct access to it greatly increases the likelihood of sensitive data being exfiltrated from or malware being introduced into the corporate environment.
The last two pertain to how much ongoing maintenance will need to be done to keep the split tunnel configured correctly. If the application changes IP addresses or URLs, not only will the clients start using the forced tunnel again, but it also opens the possibility clients will be accessing unapproved sites directly.
Next, Configure an Exclusion-Based Split Tunnel
While this section is specific for Microsoft Endpoint Configuration Manager (formerly called SCCM), similar split-tunnel strategies can be configured for any internet-based application an organization feels has the appropriate level of controls to mitigate the risks of having it be accessed directly rather than through the forced VPN connection. Information about the internet-based application, including URLs, fully qualified domain names (FQDNs) and IP addresses/network ranges will need to be gathered so they can be added to the VPN configuration for whitelisting.
Endpoint Configuration Manager offers methods for remote workforce clients to get updates from internet-based services. Endpoints can go through a cloud distribution point (CDP) or a cloud management gateway (CMG), or they can go directly to Microsoft Update.
However, for clients to access the internet directly for updates, you must configure your setup to:
- Let clients route directly to the internet for specific URLs and/or networks.
- Let clients use Microsoft Update for a package location.
Please note that unless you create a CDP or a CMG, only Microsoft Updates will be sourced from the internet. However, using a CDP or CMG adds more cost to the equation.
Configure Client and VPN Settings
Depending on the VPN client, it may be possible to supply URLs as exceptions to the forced VPN tunnel. In many cases, however, networks or routes must be pushed to the client. If the VPN client can use URLs, Microsoft recommends whitelisting the following:
If you’re using a CMG/CDP, additional URLs need to be whitelisted:
- FQDN of the CMG/CDP (If one exists)
If the VPN client cannot use URLs for whitelisting, the next option is to allow remote workforce clients to connect to the list of 184 public IPv4 and 185 IPv6 networks Windows Update uses. This list could potentially be paired down if some geographic regions, countries or continents are not required. Unlike Office 365 and other Microsoft services, Endpoint Configuration Manager does not have a well-defined set of networks within the IP range. The list can be downloaded here.
Configure Microsoft Endpoint Configuration Manager
This recommendation is based on your Microsoft Endpoint Configuration Manager environment being up to date with the current version, or at least at version 1902, released July 2019. Version 1902 introduced a key feature that allows systems to go directly to Microsoft Update for system update packages instead of requiring a CMG or CDP. If you are not using version 1902, you will need to upgrade or create a CMG/ CDP and include it in the VPN split-tunnel configuration.
To configure Endpoint Configuration Manager:
- Configure a boundary for each of your VPN client’s IP ranges.
- Create a boundary group to control your VPN clients and assign the VPN boundary(s).
- Configure the boundary group to leverage cloud sources (if the CMG or CDP exists). This is done by checking the “Prefer cloud-based sources over on-premises sources” box in the options tab of the boundary group.
- Configure your update deployments to use Microsoft Updates. When it is time to deploy a software update, the “If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates” check box will need to be selected for clients to access Windows Update for the packages.
Tips for Split-Tunnel Success
To ensure remote clients receive timely patches without overburdening your VPN, it’s important to configure the VPN for split tunneling and then set up Microsoft Endpoint Configuration Manager to let clients get updates directly from the internet. To do this, organizations must:
- Evaluate existing controls: Before enacting the split tunnel, identify what controls would no longer be in place on the remote devices when accessing internet-based resources and networks, and weigh whether the performance trade-off is worth the risk.
- Only include well-controlled internet sources in VPN exclusions: Unless you have a mature workforce management and security program/controls (such as Microsoft’s Zero Trust methodology), the number of exclusions should be minimal and only include well-known locations.
- Understand that if a CMG or CDP isn’t used, SCCM’s cloud-based sources only cover products in Microsoft Update: All other software updates will still be sourced from servers on the internal network.
- Review Microsoft URLs and networks on a regular basis: While the URLs for Windows Update and other Microsoft cloud-based services tends to stay relatively static (typically only changing with new products or major version changes), the list of networks does change. For example, the list for Office 365 is correlated and published at the beginning of every month with new IP addresses being disclosed 30 days before they are used
These guides for configuring common VPN clients are for Office 365, but they could be modified for Windows Update:
Choose a Viable Virtual Private Network (VPN) Option, June 26, 2019
Harden VPN, Video and IM Against Attacks Exploiting COVID-19, March 26, 2020
COVID-19 and the Cloud: Enabling Remote Work and Business as Usual, March 11, 2020
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.