3.13.7—System and Communications Protection - Derived
>Control Description
>Discussion
Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling allows unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement is implemented in remote devices (e.g., notebook computers, smart phones, and tablets) through configuration settings to disable split tunneling in those devices, and by preventing configuration settings from being readily configurable by users.
This requirement is implemented in the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern preventing split tunneling for remote access?
- •What procedures ensure remote devices route all traffic through VPN?
- •Who is responsible for enforcing split tunneling prevention?
- •What governance ensures no unauthorized network paths exist?
- •What training addresses split tunneling risks?
Technical Implementation:
- •How do you technically prevent split tunneling?
- •What VPN configurations enforce full tunnel mode?
- •How do you verify remote devices only use approved network paths?
- •What monitoring detects split tunneling attempts?
- •What endpoint controls prevent simultaneous network connections?
Evidence & Documentation:
- •Can you show VPN configurations preventing split tunneling?
- •What evidence demonstrates full tunnel enforcement?
- •Can you provide logs showing blocked split tunneling attempts?
- •What technical documentation shows split tunnel prevention?
- •What audit findings verify split tunneling compliance?
Ask AI
Configure your API key to use AI features.