Accélérez votre parcours Security Service Edge. Rejoignez Netskope chez RSA.

  • Produits de périphérie du service de sécurité

    Protégez-vous contre les menaces avancées et compatibles avec le cloud et protégez les données sur tous les vecteurs.

  • Borderless SD-WAN

    Fournissez en toute confiance un accès sécurisé et performant à chaque utilisateur, appareil, site et cloud distant.

  • Plateforme

    Une visibilité inégalée et une protection des données et des menaces en temps réel sur le plus grand cloud privé de sécurité au monde.

Netskope reconnu comme un des leaders dans le rapport du Magic Quadrant™ 2022 du Gartner dédié au SSE

Recevoir le rapport Présentation des produits
Netskope gartner mq 2022 leader sse
Réponse rapide de Gartner® : Quel est l'impact de l'acquisition d'Infiot par Netskope sur les projets SD-WAN, SASE et SSE ?

Recevoir le rapport
Gartner quick answer
Netskope offre une solution moderne de sécurité du cloud, dotée de fonctions unifiées en matière de protection des données et de détection des menaces, et d'un accès privé sécurisé.

Découvrir notre plateforme
Vue aérienne d'une métropole
Optez pour les meilleurs services de sécurité cloud du marché, avec un temps de latence minimum et une fiabilité élevée.

Plus d'informations
Lighted highway through mountainside switchbacks
Neutralisez les menaces qui échappent souvent à d'autres solutions de sécurité à l'aide d'un framework SSE unifié.

Plus d'informations
Lighting storm over metropolitan area
Solutions Zero Trust pour les déploiements du SSE et du SASE

Plus d'informations
Boat driving through open sea
Netskope permet à toutes les entreprises d'adopter des services et des applications cloud ainsi que des infrastructures cloud publiques rapidement et en toute sécurité.

Plus d'informations
Wind turbines along cliffside
  • Nos clients

    Netskope sert plus de 2 000 clients dans le monde, dont plus de 25 des entreprises du classement Fortune 100

  • Solutions pour les clients

    Nous sommes là pour vous et avec vous à chaque étape, pour assurer votre succès avec Netskope.

  • Formation et certification

    Avec Netskope, devenez un expert de la sécurité du cloud.

Nous parons nos clients à l'avenir, quel qu'il soit

Voir nos clients
Woman smiling with glasses looking out window
L’équipe de services professionnels talentueuse et expérimentée de Netskope propose une approche prescriptive pour une mise en œuvre réussie.

Plus d'informations
Services professionnels Netskope
Sécurisez votre parcours de transformation numérique et tirez le meilleur parti de vos applications cloud, Web et privées grâce à la formation Netskope.

Plus d'informations
Group of young professionals working
  • Ressources

    Découvrez comment Netskope peut vous aider à sécuriser votre migration vers le Cloud.

  • Blog

    Découvrez comment Netskope permet de transformer la sécurité et les réseaux à l'aide du Security Service Edge (SSE).

  • Événements et ateliers

    Restez à l'affût des dernières tendances en matière de sécurité et créez des liens avec vos pairs.

  • Définition de la sécurité

    Tout ce que vous devez savoir dans notre encyclopédie de la cybersécurité.

Podcast Security Visionaries

Episode 10 : Construire des relations de sécurité par la transparence
In this episode, Mike and Andreas discuss aligning with works councils, forging business relationships through transparency, and embedding security into value streams.

Écouter le podcast
Building Security Relationships Through Transparency
Découvrez comment Netskope permet de passer au Zero Trust et au modèle SASE grâce aux fonctions du Security Service Edge (SSE).

Lire le blog
Sunrise and cloudy sky
Netskope at RSA

Join Netskope at RSA Conference this year and be part of the real conversations on SASE and Zero Trust. Stop by our booth in South Hall, chat with an expert, register for our speaking sessions, and unwind by joining us at one of our events!

Plus d'informations
RSA logo
Qu'est-ce que le Security Service Edge ?

Découvrez le côté sécurité de SASE, l'avenir du réseau et de la protection dans le cloud.

Plus d'informations
Four-way roundabout
  • Entreprise

    Nous vous aidons à conserver une longueur d'avance sur les défis posés par le cloud, les données et les réseaux en matière de sécurité.

  • Pourquoi Netskope

    La transformation du cloud et le travail à distance ont révolutionné le fonctionnement de la sécurité.

  • Équipe de direction

    Nos dirigeants sont déterminés à faciliter la réussite de nos clients.

  • Partenaires

    Nous collaborons avec des leaders de la sécurité pour vous aider à sécuriser votre transition vers le cloud.

Netskope permet l'avenir du travail.

En savoir plus
Curvy road through wooded area
Netskope redéfinit la sécurité du cloud, des données et des réseaux afin d'aider les entreprises à appliquer les principes Zero Trust pour protéger leurs données.

Plus d'informations
Switchback road atop a cliffside
Penseurs, concepteurs, rêveurs, innovateurs. Ensemble, nous fournissons le nec plus ultra des solutions de sécurité cloud afin d'aider nos clients à protéger leurs données et leurs collaborateurs.

Rencontrez notre équipe
Group of hikers scaling a snowy mountain
La stratégie de commercialisation de Netskope privilégie ses partenaires, ce qui leur permet de maximiser leur croissance et leur rentabilité, tout en transformant la sécurité des entreprises.

Plus d'informations
Group of diverse young professionals smiling

Beyond the Binary: A Third Contender in the Full Tunnel vs. Split Tunnel VPN Debate

Sep 16 2021

Co-authored by James Robinson and Jeff Kessler

As rapidly as wide-area networking (WAN) and remote access strategies with associated technologies are changing, we’re always surprised by the amount of time some security professionals and auditors dedicate to the either/or debate between split tunnel and full tunnel connectivity. 

History can partially explain how we got here. Long before COVID-19 reared its ugly head, corporate security teams were already grappling with how best to protect remote connectivity. First, they directed all employees working remotely to reach the corporate network via VPN, which meant all traffic was routed through the firewall/VPN concentrator in the enterprise data center. When these users were only, or primarily, accessing applications housed inside the corporate network, that made sense, although bandwidth limitations sometimes reduced application performance. A middle ground many of us found (we liked to call it splint-tunneling) was also to enable direct connections for “approved” cloud services while everything else was sent to the data center.  However, this approach still had weaknesses including the abuse of these exposed cloud services and the lack of visibility by security teams.  As cloud solutions became more and more prevalent, forcing traffic traveling from remote offices to cloud-based applications (and vice versa) to make a pitstop in the data center began to make less and less sense. 

The easy solution was to reduce unnecessary backhauling to the data center by letting remote machines talk directly to the internet. Many security teams implemented “split tunneling,” by which traffic that needs to pass through the corporate network utilizes VPN connections, while traffic that is headed to the internet goes there directly without visiting the data center at all. 

But easy is not security and split tunneling raises massive red flags for security teams. Internet browsers, software-as-a-service (SaaS) applications, and streaming technologies create new attack vectors for malware. Unless these solutions’ data streams flow through the corporate firewall, the company is relying solely on endpoint protection solutions for threat detection and mitigation. If a DNS or ICMP attack were to succeed in bypassing endpoint security, not only could it be used as a covert channel, but it could also be the entry point to the enterprise over the VPN connection. Historically security teams have not had good visibility into these kinds of attacks where the command and control traffic is asynchronous to the tunneled traffic that goes into the enterprise. Furthermore, these split-tunneled systems were mini-pivot points allowing the compromise of a system to be entry into data center secured systems and applications. 

Split tunneling was already problematic and controversial before COVID. It was hard to manage the complexity of source to destination ports and protocols resulting in many companies using an all or none approach to accessing systems/apps or requiring jump boxes and other technologies to be offered up for end-users.  Then the pandemic hit, leading businesses around the world to send large portions of their workforce home. And for companies that were still relying on full tunnel connectivity a year ago, backhauling all traffic through the data center, the sudden COVID-driven leap in traffic volume slowed performance to a crawl for WAN end users. Scalability was also hard to measure for the unexpected increase in volume. This rush for procuring and implementing additional infrastructure to support the increased volume of traffic didn’t allow for much time to secure, harden, and monitor this new infrastructure.

Secure multipoint tunneling offers another option

What, then, is a security team to do when Microsoft 365, Google Workspace, and even teleconferencing applications like Zoom underpin almost every facet of corporate operations? Should security leaders insist on VPN backhauling, adding latency that may undermine employee productivity? Should they use PAC files and other technologies which add complexity and have complex models for management? Or should they eliminate filtering on internet traffic, with all the dangers that approach entails?

My answer, as a security leader who’s been tested plenty, is neither of the above. Instead, security teams should expand their horizons and consider a third solution to the dilemma—secure multipoint tunneling. It’s a model of network architecture in which remote traffic enters the corporate network only if the data center is its final destination. But unlike split tunneling, secure multipoint tunneling does not leave other traffic unprotected. As the name implies, secure multipoint tunneling routes communications to and from cloud-based resources through a second tunnel, which is protected by a cloud firewall.

Example image of multipoint tunneling architecture

Essentially, in a modern organization with an assortment of different attack surfaces, this approach establishes a TLS  connection to each network edge. On-premises and cloud-based resources are monitored by specialized security tools, and traffic reaches each destination through a separate secure tunnel. The security team can centrally monitor and apply controls to all traffic, whether or not it’s backhauled to the data center. In fact, I like to think of the traffic headed for the cloud firewall as being not backhauled but instead “uphauled.”

Shades of gray improve control and compliance

Such an architecture accelerates traffic headed to the corporate data center because far fewer communications are competing for that VPN bandwidth. At the same time, secure multipoint tunneling applies enterprise-grade security to direct-to-internet traffic, so the company isn’t relying on endpoint protection solutions to fully lock down cloud connections. 

Perhaps most important, a well-designed security infrastructure utilizing secure multipoint tunneling should include a dashboard that provides the corporate security team with single-pane-of-glass visibility into security events across each of the tunnels. All ports, protocols, and telemetry should tie in, whether they lead to the data center or the cloud. 

This approach gives end-users effective protection with minimal performance impact and offers security administrators greater confidence that remote systems’ controls are strong enough to fend off evolving threats. It also enables security teams to adopt Zero Trust and Adaptive Trust architectures that can help secure enterprises as well as appease auditors, who may have compliance concerns about a network architecture that leverages split tunneling with minimal security for cloud-direct traffic. 

Many readers may agree with the use of secure multipoint tunneling as a solid approach to remote access however, our audit and third-party risk team do not understand the model or have not been given the guidance for when the model and approach should be used.  In other cases as security professionals, we’ve gotten into the habit of seeing full tunneling and split tunneling as our only options. But WAN architecture is not limited to this oversimplified either/or. Like most things in life, WANs are available in a range of options. Selecting the right approach requires security pros to think beyond the binary.

author image
James Robinson
James is a seasoned professional with nearly 20 years of experience in security engineering, architecture and strategy. He develops and delivers a comprehensive suite of strategic services and solutions that help executives change their security strategies through innovation.