Junte-se a nós no SASE Summit da Netskope, chegando a uma cidade perto de você! Registre-se agora.

  • Produtos de Serviço de Segurança Edge

    Proteger-se contra ameaças avançadas e com nuvens e salvaguardar os dados em todos os vetores.

  • Borderless SD-WAN

    Confidentemente, proporcionar acesso seguro e de alto desempenho a cada usuário remoto, dispositivo, site, e nuvem.

  • Plataforma

    Visibilidade incomparável e proteção de dados e contra ameaças em tempo real na maior nuvem privada de segurança do mundo.

A plataforma do futuro é a Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG) e Private Access for ZTNA integrados nativamente em uma única solução para ajudar todas as empresas em sua jornada para o Secure Access Service Arquitetura de borda (SASE).

Vá para a plataforma
Vídeo da Netskope
Borderless SD-WAN: Desbravando na Nova Era da Empresa Sem Fronteiras

Netskope Borderless SD-WAN oferece uma arquitetura que converge princípios de confiança zero e desempenho de aplicativo garantido para fornecer conectividade segura e de alto desempenho sem precedentes para cada site, nuvem, usuário remoto e dispositivo IoT.

Read the article
Borderless SD-WAN
A Netskope oferece uma pilha de segurança na nuvem moderna, com capacidade unificada para proteção de dados e ameaças, além de acesso privado seguro.

Explore a nossa plataforma
Birds eye view metropolitan city
Mude para serviços de segurança na nuvem líderes de mercado com latência mínima e alta confiabilidade.

Conheça a NewEdge
Lighted highway through mountainside switchbacks
Permita com segurança o uso de aplicativos generativos de IA com controle de acesso a aplicativos, treinamento de usuários em tempo real e a melhor proteção de dados da categoria.

Saiba como protegemos o uso de IA generativa
Safely Enable ChatGPT and Generative AI
Soluções de zero trust para a implementação de SSE e SASE

Learn about Zero Trust
Boat driving through open sea
A Netskope permite uma jornada segura, inteligente e rápida para a adoção de serviços em nuvem, aplicações e infraestrutura de nuvem pública.

Learn about Industry Solutions
Wind turbines along cliffside
  • Nossos clientes

    Netskope atende a mais de 2.000 clientes em todo o mundo, incluindo mais de 25 dos 100 da Fortune.

  • Customer Solutions

    Estamos aqui junto com você a cada passo da sua trajetória, assegurando seu sucesso com a Netskope.

  • Treinamento e certificação

    Os treinamentos da Netskope vão ajudar você a ser um especialista em segurança na nuvem.

Ajudamos nossos clientes a estarem prontos para tudo

Ver nossos clientes
Woman smiling with glasses looking out window
A talentosa e experiente equipe de Serviços Profissionais da Netskope fornece uma abordagem prescritiva para sua implementação bem sucedida.

Learn about Professional Services
Netskope Professional Services
Proteja sua jornada de transformação digital e aproveite ao máximo seus aplicativos de nuvem, web e privados com o treinamento da Netskope.

Learn about Training and Certifications
Group of young professionals working
  • Recursos

    Saiba mais sobre como a Netskope pode ajudá-lo a proteger sua jornada para a nuvem.

  • Blog

    Saiba como a Netskope viabiliza a segurança e a transformação de redes através do security service edge (SSE).

  • Eventos e workshops

    Esteja atualizado sobre as últimas tendências de segurança e conecte-se com seus pares.

  • Security Defined

    Tudo o que você precisa saber em nossa enciclopédia de segurança cibernética.

Podcast Security Visionaries

Bônus Episódio 2: O Quadrante Mágico para SSE e como acertar o SASE
Mike e Steve discutem o Gartner® Magic Quadrant™ para Security Service Edge (SSE), o posicionamento da Netskope e como o clima econômico atual afetará a jornada do SASE.

Reproduzir o podcast
Bônus Episódio 2: O Quadrante Mágico para SSE e como acertar o SASE
Últimos blogs

Como a Netskope pode habilitar a jornada Zero Trust e SASE por meio dos recursos de borda de serviço de segurança (SSE).

Leia o Blog
Sunrise and cloudy sky
Netskope AWS Immersion Day World Tour 2023

A Netskope desenvolveu uma variedade de laboratórios práticos, workshops, webinars detalhados e demonstrações para educar e auxiliar os clientes da AWS no uso e implantação dos produtos Netskope.

Learn about AWS Immersion Day
Parceiro da AWS
O que é o Security Service Edge?

Explore o lado de segurança de SASE, o futuro da rede e proteção na nuvem.

Learn about Security Service Edge
Four-way roundabout
  • Empresa

    Ajudamos você a antecipar os desafios da nuvem, dos dados e da segurança da rede.

  • Por que Netskope

    A transformação da nuvem e o trabalho em qualquer lugar mudaram a forma como a segurança precisa funcionar.

  • Liderança

    Nossa equipe de liderança está fortemente comprometida em fazer tudo o que for preciso para tornar nossos clientes bem-sucedidos.

  • Parceiros

    Fazemos parceria com líderes de segurança para ajudá-lo a proteger sua jornada para a nuvem.

Apoiando a sustentabilidade por meio da segurança de dados

A Netskope tem o orgulho de participar da Visão 2045: uma iniciativa destinada a aumentar a conscientização sobre o papel da indústria privada na sustentabilidade.

Saiba mais
Supporting Sustainability Through Data Security
O mais alto nível de Execução. A Visão mais avançada.

A Netskope foi reconhecida como Líder no Magic Quadrant™ do Gartner® de 2023 para SSE.

Obtenha o Relatório
A Netskope foi reconhecida como Líder no Magic Quadrant™ do Gartner® de 2023 para SSE.
Pensadores, construtores, sonhadores, inovadores. Juntos, fornecemos soluções de segurança na nuvem de última geração para ajudar nossos clientes a proteger seus dados e seu pessoal.

Conheça nossa equipe
Group of hikers scaling a snowy mountain
A estratégia de comercialização da Netskope, focada em Parcerias, permite que nossos Parceiros maximizem seu crescimento e lucratividade enquanto transformam a segurança corporativa.

Learn about Netskope Partners
Group of diverse young professionals smiling

Beyond the Binary: A Third Contender in the Full Tunnel vs. Split Tunnel VPN Debate

Sep 16 2021

Co-authored by James Robinson and Jeff Kessler

As rapidly as wide-area networking (WAN) and remote access strategies with associated technologies are changing, we’re always surprised by the amount of time some security professionals and auditors dedicate to the either/or debate between split tunnel and full tunnel connectivity. 

History can partially explain how we got here. Long before COVID-19 reared its ugly head, corporate security teams were already grappling with how best to protect remote connectivity. First, they directed all employees working remotely to reach the corporate network via VPN, which meant all traffic was routed through the firewall/VPN concentrator in the enterprise data center. When these users were only, or primarily, accessing applications housed inside the corporate network, that made sense, although bandwidth limitations sometimes reduced application performance. A middle ground many of us found (we liked to call it splint-tunneling) was also to enable direct connections for “approved” cloud services while everything else was sent to the data center.  However, this approach still had weaknesses including the abuse of these exposed cloud services and the lack of visibility by security teams.  As cloud solutions became more and more prevalent, forcing traffic traveling from remote offices to cloud-based applications (and vice versa) to make a pitstop in the data center began to make less and less sense. 

The easy solution was to reduce unnecessary backhauling to the data center by letting remote machines talk directly to the internet. Many security teams implemented “split tunneling,” by which traffic that needs to pass through the corporate network utilizes VPN connections, while traffic that is headed to the internet goes there directly without visiting the data center at all. 

But easy is not security and split tunneling raises massive red flags for security teams. Internet browsers, software-as-a-service (SaaS) applications, and streaming technologies create new attack vectors for malware. Unless these solutions’ data streams flow through the corporate firewall, the company is relying solely on endpoint protection solutions for threat detection and mitigation. If a DNS or ICMP attack were to succeed in bypassing endpoint security, not only could it be used as a covert channel, but it could also be the entry point to the enterprise over the VPN connection. Historically security teams have not had good visibility into these kinds of attacks where the command and control traffic is asynchronous to the tunneled traffic that goes into the enterprise. Furthermore, these split-tunneled systems were mini-pivot points allowing the compromise of a system to be entry into data center secured systems and applications. 

Split tunneling was already problematic and controversial before COVID. It was hard to manage the complexity of source to destination ports and protocols resulting in many companies using an all or none approach to accessing systems/apps or requiring jump boxes and other technologies to be offered up for end-users.  Then the pandemic hit, leading businesses around the world to send large portions of their workforce home. And for companies that were still relying on full tunnel connectivity a year ago, backhauling all traffic through the data center, the sudden COVID-driven leap in traffic volume slowed performance to a crawl for WAN end users. Scalability was also hard to measure for the unexpected increase in volume. This rush for procuring and implementing additional infrastructure to support the increased volume of traffic didn’t allow for much time to secure, harden, and monitor this new infrastructure.

Secure multipoint tunneling offers another option

What, then, is a security team to do when Microsoft 365, Google Workspace, and even teleconferencing applications like Zoom underpin almost every facet of corporate operations? Should security leaders insist on VPN backhauling, adding latency that may undermine employee productivity? Should they use PAC files and other technologies which add complexity and have complex models for management? Or should they eliminate filtering on internet traffic, with all the dangers that approach entails?

My answer, as a security leader who’s been tested plenty, is neither of the above. Instead, security teams should expand their horizons and consider a third solution to the dilemma—secure multipoint tunneling. It’s a model of network architecture in which remote traffic enters the corporate network only if the data center is its final destination. But unlike split tunneling, secure multipoint tunneling does not leave other traffic unprotected. As the name implies, secure multipoint tunneling routes communications to and from cloud-based resources through a second tunnel, which is protected by a cloud firewall.

Example image of multipoint tunneling architecture

Essentially, in a modern organization with an assortment of different attack surfaces, this approach establishes a TLS  connection to each network edge. On-premises and cloud-based resources are monitored by specialized security tools, and traffic reaches each destination through a separate secure tunnel. The security team can centrally monitor and apply controls to all traffic, whether or not it’s backhauled to the data center. In fact, I like to think of the traffic headed for the cloud firewall as being not backhauled but instead “uphauled.”

Shades of gray improve control and compliance

Such an architecture accelerates traffic headed to the corporate data center because far fewer communications are competing for that VPN bandwidth. At the same time, secure multipoint tunneling applies enterprise-grade security to direct-to-internet traffic, so the company isn’t relying on endpoint protection solutions to fully lock down cloud connections. 

Perhaps most important, a well-designed security infrastructure utilizing secure multipoint tunneling should include a dashboard that provides the corporate security team with single-pane-of-glass visibility into security events across each of the tunnels. All ports, protocols, and telemetry should tie in, whether they lead to the data center or the cloud. 

This approach gives end-users effective protection with minimal performance impact and offers security administrators greater confidence that remote systems’ controls are strong enough to fend off evolving threats. It also enables security teams to adopt Zero Trust and Adaptive Trust architectures that can help secure enterprises as well as appease auditors, who may have compliance concerns about a network architecture that leverages split tunneling with minimal security for cloud-direct traffic. 

Many readers may agree with the use of secure multipoint tunneling as a solid approach to remote access however, our audit and third-party risk team do not understand the model or have not been given the guidance for when the model and approach should be used.  In other cases as security professionals, we’ve gotten into the habit of seeing full tunneling and split tunneling as our only options. But WAN architecture is not limited to this oversimplified either/or. Like most things in life, WANs are available in a range of options. Selecting the right approach requires security pros to think beyond the binary.

author image
James Robinson
James is a seasoned professional with nearly 20 years of experience in security engineering, architecture and strategy. He develops and delivers a comprehensive suite of strategic services and solutions that help executives change their security strategies through innovation.