Hmm... I'm as much a stickler as anyone for security (ask anyone :), however isn't this one of those situations where we're:
- attempting to avoid a *potential* cost (ex: a security breach)
- by paying a *certain* cost (ex: lost functionality, increased support costs, attempts to route around...)?
And it seems to me that the potential increase in risk (of allowing split-tunneling) is minor, since the "horse is already out of the barn" so to speak, in that the security of the remote machines connecting in to the VPN is an unknown. And that's pretty much the same as the vast majority of machines on campus too.
The cost/benefit doesn't seem to work out.
On Thu, Oct 14, 2010 at 10:32 PM, Dan Brisson <[log in to unmask]>
Bryan is correct that security best practices dictate not using split tunneling.