Skip to content

Split Tunneling and NIST 800-171

By Edward Tuorinsky

What is split tunneling in cyber security?

Split tunneling is often bantered about in cybersecurity. What does it really mean? Split tunneling diverts some data through an encrypted VPN connection while allowing other apps and data to have direct access to the Internet. That’s relevant for remote access-type VPNs (like those used for working from home) where your computer is connected directly to a remote network at the office.

All VPNs are a network “tunnel.” Say your computer has information it wants to send to a remote device. Without a VPN, it sends that information into the network and lets it hop from device to device until it reaches its destination.

With a VPN, the computer first sends the information in encrypted form to a VPN termination point. The original information is extracted and decrypted and sent along its way to the ultimate destination as if it had only gone one hop instead of the dozens of hops encrypted information travels.

Split tunneling represents the best of both worlds: the speed and performance of an unencrypted link, and the data security when and where needed.

What is split tunneling?

 

The pros and cons of split tunneling

Split tunneling alleviates bottlenecks and conserves bandwidth as Internet traffic does not have to pass through the VPN server. It’s advantageous when a user works at a supplier or partner site and needs access to resources on both private and public networks.

Consider the alternative where everything must pass through the VPN tunnel. If you are streaming a webinar or taking part in a video conference, a substantial amount of information is encrypted and sent through the VPN.

This detour means that information that has nothing to do with the corporate network is traversing that corporate internet link twice—it’s slower, it causes congestion, and it’s a nightmare for your network monitoring solution to parse.

Another disadvantage to tunneling everything is that it can prevent your computer from talking to your printer or other local devices.

Split tunneling addresses these issues by allowing VPN users to direct their non-corporate traffic to the Internet without involving corporate links or equipment.

The cons of split tunneling can be summed up in two words: security compromises. There are compelling reasons why many companies accept the performance hit by driving all traffic through their VPN connection: It allows them to block known malware and control access to inappropriate sites on the Internet.

If the corporate VPN redirects Internet traffic through a central point, it can also route that traffic through system security devices. For instance, intrusion prevention devices (IPS) look for malicious content. Because very few end-users have the same security infrastructure on their home networks, forcing all that traffic through the corporate infrastructure essentially places your home network behind the corporate perimeter, which is arguably safer.

Or, for those on a public Wi-Fi network in a coffee shop or hotel, devices on the local network should be treated as hostile by default. They could be snooping on your traffic and trying to break into your computer over local protocols. Therefore, it makes sense to encrypt everything and send it to a central VPN host before forwarding it to the internet.

Security and split tunneling

The significant reason IT security pros cite for disabling split tunneling has to do with endpoint vulnerabilities. Attacks against corporate infrastructure typically begin by compromising an end user’s computer. From there, they exploit any trust relationships associated with that computer. They can also snoop on things you might type, like user IDs and passwords.

Exploiting this kind of vulnerability requires that the attacker has access to your computer while your computer has access to the corporate network. With split tunneling disabled, the corporate security infrastructure has a chance to intercept the attacker’s command and control traffic.

CMMC requirements regarding split tunneling

Per NIST SP 800-171 Rev 2 3.13.7 and CMMC SC.L2-3.13.7, the requirement for split tunneling is:

Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

Exactly what does this mean? The remote device is the laptop being used by an employee when they are not in their normal operating location. Home offices cannot be declared the normal operating location, because their home office then requires equivalent protections as your normal office space.

Organizational Systems: These are all the other systems in your system scope per NIST SP 800-171 para 1.1.

Non-remote connections with organizational systems occur when the VPN tunnel is established and creates an encrypted connection between the gateway and the user device that allows the remote device access to internal resources as if it was in the office.

Put simply, a company user, when not working in the office on the organization’s internal network, cannot access both internal assets via VPN services and external, untrusted information systems unless it goes through the organization’s firewalls. To meet the requirement, split tunneling must be disabled.

With split tunneling enabled, a remote hacker can compromise the laptop. The hacker then realizes there is a remote connection to the laptop’s organization. The hacker exploits that remote connection to exfiltrate data or tries to break into and control the organization’s systems internally.

With split tunneling disabled, when the user tries to go to the malicious website, the traffic goes up the VPN tunnel, and the VPN gateway’s firewall either blocks the traffic prior to the user connecting or the firewall detects the malicious traffic patterns and blocks the connection from going any further.

cmmc certified auditor

Should you use split tunneling for your organization’s security? 

While speed and performance are tempting, security remains the top priority for many organizations. DTS, therefore, recommends a cloud-based Secure Access Service Edge (SASE) product to securely connect users, systems, and endpoints to applications and services anywhere. Our partner, Perimeter 81, offers one that allows companies to set up gateways wherever employees are working, around the world, to minimize network latency and scale up and scale down as needed.

DTS consults on security situations for organizations looking at best practices or required to comply with CMMC or other controls. To start the conversation, sign up for a free 30-minute consultation and start the conversation at our contact page.

About DTS

Share this Article
More Insights
  • Scope What Matters: Building a Focused and Sustainable Security Program
    Team DTS February 23, 2026

    A security program becomes repeatable only when it focuses on the systems and processes that truly matter. Federal guidance such as NIST SP 800-171…

    Read More
  • Information Governance and CUI: Establishing Structure for CMMC Compliance
    Team DTS February 18, 2026

    February is recognized as Information Governance Month, with February 19 marking Global Information Governance Day. For organizations supporting federal contracts, information governance defines how…

    Read More
  • 8 Essential Data Privacy Practices for Federal Contractors
    Team DTS January 27, 2026

    A clear, actionable guide to protecting sensitive information and preparing for evolving privacy expectations Introduction Data Privacy Week arrives at a time when organizations…

    Read More
  • Strengthening Identity Integrity and MFA Controls to Prevent Credential Theft
    Team DTS December 4, 2025

    Identity is the core of modern cybersecurity. Federal frameworks, including NIST SP 800-171 and CMMC, consistently emphasize maintaining traceable, unique identities and enforcing multi-factor…

    Read More
  • A Practical Starting Point for CMMC Readiness
    Jamie Repesh November 24, 2025

    CMMC requirements are now being incorporated into Department of Defense (the Department) contracts following the November 10 effective date of DFARS 252.204-7021. With the…

    Read More
  • Reducing Cybersecurity Risk In 2025: Consider A Supply Chain Strategy
    Edward Tuorinsky February 7, 2025

    DTS CEO, Edward Tuorinsky, shares his insights with Forbes Business Council, on reducing cybersecurity risk in 2025: consider a supply chain strategy. Despite increased…

    Read More
  • “Are you certified?” may become the most used phrase in business this year.
    Edward Tuorinsky January 11, 2025

    DTS CEO, Edward Tuorinsky, shares his insights with Intelligent CXO, on a pivotal growth opportunity for businesses in 2025: cybersecurity compliance and supply chain risk…

    Read More
  • Building A Motivated Team: Hiring Advice For The Workforce You Need Next
    Edward Tuorinsky December 26, 2024

    It’s not often that you get business advice from the Pat McAfee Show, but a few weeks ago, college football coaching great Nick Saban…

    Read More
  • Budget Considerations for Cybersecurity
    Edward Tuorinsky December 23, 2024

    We’ve entered an era of new business risk. Our fast-evolving IT landscape comes with even faster-evolving cybersecurity threats. Companies understandably want to protect their…

    Read More