Join us at Netskope’s SASE Summit, coming to a city near you! Register now.

  • Security Service Edge Products

    Protect against advanced and cloud-enabled threats and safeguard data across all vectors.

  • Borderless SD-WAN

    Confidently provide secure, high-performance access to every remote user, device, site, and cloud.

  • Platform

    Unrivaled visibility and real-time data and threat protection on the world's largest security private cloud.

The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Borderless SD-WAN: Ushering in the New Era of Borderless Enterprise

Netskope Borderless SD-WAN offers an architecture that converges zero trust principles and assured application performance to provide unprecedented secure, high-performance connectivity for every site, cloud, remote user, and IoT device.

Read the article
Borderless SD-WAN
Netskope delivers a modern cloud security stack, with unified capabilities for data and threat protection, plus secure private access.

Explore our platform
Birds eye view metropolitan city
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope enables a safe, cloud-smart, and fast journey to adopt cloud services, apps, and public cloud infrastructure.

Learn about Industry Solutions
Wind turbines along cliffside
  • Our Customers

    Netskope serves more than 2,000 customers worldwide including more than 25 of the Fortune 100

  • Customer Solutions

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification

    Netskope training will help you become a cloud security expert.

We help our customers to be Ready for Anything

See our Customers
Woman smiling with glasses looking out window
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working
  • Resources

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog

    Learn how Netskope enables security and networking transformation through security service edge (SSE).

  • Events & Workshops

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

Bonus Episode 2: The Magic Quadrant for SSE and Getting SASE Right
Mike and Steve discuss the Gartner® Magic Quadrant™ for Security Service Edge (SSE), Netskope’s positioning, and how the current economic climate will impact the SASE journey.

Play the podcast
Bonus Episode 2: The Magic Quadrant for SSE and Getting SASE Right
Latest Blogs

How Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
Netskope AWS Immersion Day World Tour 2023

Netskope has developed a variety of hands-on labs, workshops, in-depth webinars and demos to educate and assist AWS customers in the usage and deployment of Netskope products.

Learn about AWS Immersion Day
AWS Partner
What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn about Security Service Edge
Four-way roundabout
  • Company

    We help you stay ahead of cloud, data, and network security challenges.

  • Why Netskope

    Cloud transformation and work from anywhere have changed how security needs to work.

  • Leadership

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Partners

    We partner with security leaders to help you secure your journey to the cloud.

Netskope enables the future of work.

Find out more
Curvy road through wooded area
Highest in Execution. Furthest in Vision.

Netskope recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge.

Get the report
Netskope recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge.
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling

Beyond the Binary: A Third Contender in the Full Tunnel vs. Split Tunnel VPN Debate

Sep 16 2021

Co-authored by James Robinson and Jeff Kessler

As rapidly as wide-area networking (WAN) and remote access strategies with associated technologies are changing, we’re always surprised by the amount of time some security professionals and auditors dedicate to the either/or debate between split tunnel and full tunnel connectivity. 

History can partially explain how we got here. Long before COVID-19 reared its ugly head, corporate security teams were already grappling with how best to protect remote connectivity. First, they directed all employees working remotely to reach the corporate network via VPN, which meant all traffic was routed through the firewall/VPN concentrator in the enterprise data center. When these users were only, or primarily, accessing applications housed inside the corporate network, that made sense, although bandwidth limitations sometimes reduced application performance. A middle ground many of us found (we liked to call it splint-tunneling) was also to enable direct connections for “approved” cloud services while everything else was sent to the data center.  However, this approach still had weaknesses including the abuse of these exposed cloud services and the lack of visibility by security teams.  As cloud solutions became more and more prevalent, forcing traffic traveling from remote offices to cloud-based applications (and vice versa) to make a pitstop in the data center began to make less and less sense. 

The easy solution was to reduce unnecessary backhauling to the data center by letting remote machines talk directly to the internet. Many security teams implemented “split tunneling,” by which traffic that needs to pass through the corporate network utilizes VPN connections, while traffic that is headed to the internet goes there directly without visiting the data center at all. 

But easy is not security and split tunneling raises massive red flags for security teams. Internet browsers, software-as-a-service (SaaS) applications, and streaming technologies create new attack vectors for malware. Unless these solutions’ data streams flow through the corporate firewall, the company is relying solely on endpoint protection solutions for threat detection and mitigation. If a DNS or ICMP attack were to succeed in bypassing endpoint security, not only could it be used as a covert channel, but it could also be the entry point to the enterprise over the VPN connection. Historically security teams have not had good visibility into these kinds of attacks where the command and control traffic is asynchronous to the tunneled traffic that goes into the enterprise. Furthermore, these split-tunneled systems were mini-pivot points allowing the compromise of a system to be entry into data center secured systems and applications. 

Split tunneling was already problematic and controversial before COVID. It was hard to manage the complexity of source to destination ports and protocols resulting in many companies using an all or none approach to accessing systems/apps or requiring jump boxes and other technologies to be offered up for end-users.  Then the pandemic hit, leading businesses around the world to send large portions of their workforce home. And for companies that were still relying on full tunnel connectivity a year ago, backhauling all traffic through the data center, the sudden COVID-driven leap in traffic volume slowed performance to a crawl for WAN end users. Scalability was also hard to measure for the unexpected increase in volume. This rush for procuring and implementing additional infrastructure to support the increased volume of traffic didn’t allow for much time to secure, harden, and monitor this new infrastructure.

Secure multipoint tunneling offers another option

What, then, is a security team to do when Microsoft 365, Google Workspace, and even teleconferencing applications like Zoom underpin almost every facet of corporate operations? Should security leaders insist on VPN backhauling, adding latency that may undermine employee productivity? Should they use PAC files and other technologies which add complexity and have complex models for management? Or should they eliminate filtering on internet traffic, with all the dangers that approach entails?

My answer, as a security leader who’s been tested plenty, is neither of the above. Instead, security teams should expand their horizons and consider a third solution to the dilemma—secure multipoint tunneling. It’s a model of network architecture in which remote traffic enters the corporate network only if the data center is its final destination. But unlike split tunneling, secure multipoint tunneling does not leave other traffic unprotected. As the name implies, secure multipoint tunneling routes communications to and from cloud-based resources through a second tunnel, which is protected by a cloud firewall.

Example image of multipoint tunneling architecture

Essentially, in a modern organization with an assortment of different attack surfaces, this approach establishes a TLS  connection to each network edge. On-premises and cloud-based resources are monitored by specialized security tools, and traffic reaches each destination through a separate secure tunnel. The security team can centrally monitor and apply controls to all traffic, whether or not it’s backhauled to the data center. In fact, I like to think of the traffic headed for the cloud firewall as being not backhauled but instead “uphauled.”

Shades of gray improve control and compliance

Such an architecture accelerates traffic headed to the corporate data center because far fewer communications are competing for that VPN bandwidth. At the same time, secure multipoint tunneling applies enterprise-grade security to direct-to-internet traffic, so the company isn’t relying on endpoint protection solutions to fully lock down cloud connections. 

Perhaps most important, a well-designed security infrastructure utilizing secure multipoint tunneling should include a dashboard that provides the corporate security team with single-pane-of-glass visibility into security events across each of the tunnels. All ports, protocols, and telemetry should tie in, whether they lead to the data center or the cloud. 

This approach gives end-users effective protection with minimal performance impact and offers security administrators greater confidence that remote systems’ controls are strong enough to fend off evolving threats. It also enables security teams to adopt Zero Trust and Adaptive Trust architectures that can help secure enterprises as well as appease auditors, who may have compliance concerns about a network architecture that leverages split tunneling with minimal security for cloud-direct traffic. 

Many readers may agree with the use of secure multipoint tunneling as a solid approach to remote access however, our audit and third-party risk team do not understand the model or have not been given the guidance for when the model and approach should be used.  In other cases as security professionals, we’ve gotten into the habit of seeing full tunneling and split tunneling as our only options. But WAN architecture is not limited to this oversimplified either/or. Like most things in life, WANs are available in a range of options. Selecting the right approach requires security pros to think beyond the binary.

author image
James Robinson
James is a seasoned professional with nearly 20 years of experience in security engineering, architecture and strategy. He develops and delivers a comprehensive suite of strategic services and solutions that help executives change their security strategies through innovation.