VPN vs Remote Desktop - Avoiding Split Tunneling
I have been thinking about the pros and cons of implementing remote access using VPN (such as OpenVPN) vs. an application level remote access such as SSH or Remote Desktop.
Some of the arguments I have seen made for using Remote Desktop over a VPN is that any viruses or malicious software running on the connecting user's computer cannot directly affect the services running inside the corporate network.
Another argument for Remote Desktop is that unlike VPN, the user's computer network is not directly connected to the corporate network, so any malicious traffic coming from the Internet cannot make its way into the remote network - so called 'Split Tunnelling'.
Split tunnelling is when a VPN connection is established on a user's computer, but not all of their network traffic is forwarded down the tunnel to the corporate network's gateway. Instead the VPN is configured only to send traffic for the subnets that belong to the corporate network down the VPN tunnel.
This is much more efficient, as normal Internet browsing still goes out of the end user's connection as normal. However it is arguably opening up a security hole because it could allow packets to be routed from the Internet directly into the internal corporate network via the end user's VPN tunnel.
Most VPN software has the ability to force all traffic down the VPN tunnel which prevents traffic from the external Internet being routed down the VPN accidentally. However this feature can be turned off by malicious clients, and there is always the possibility of clients enabling NAT on their computer to forge external traffic to appear to come from their VPN IP address.
So does mean we shouldn't use VPNs?
I would argue not, whilst accidental split tunnelling could cause problems, it can be mitigated by enabling the features in the VPN software to stop this and by configuring a firewall on the VPN terminator to ensure that traffic only comes down the VPN tunnel from the correct IP addresses (no external IP ranges!).
Any malicious user you are allowing to connect to your servers, either by VPN or by Remote Desktop is likely to be able to cause harm.
Even if they cannot directly route traffic from outside into the VPN, they may still be able to steal sensitive data from the internal network using simple 'copy and paste' technique over Remote Desktop.