>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-7(7)Boundary Protection | Split Tunneling for Remote Devices

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using organization-defined safeguards.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers.

However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling.

A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control.

>Programmatic Queries

Beta

Related Services

VPN Client
ClientVPN
Route Tables

CLI Commands

Create AWS ClientVPN endpoint for secure remote device connections
aws ec2 create-client-vpn-endpoint --client-cidr-block 10.0.0.0/22 --server-certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678 --authentication-options Type=certificate-authentication --connection-log-options CloudwatchLogGroup=/aws/clientvpn/logs,Enabled=true
Disable split tunneling by restricting client routes
aws ec2 associate-client-vpn-target-network --client-vpn-endpoint-id cvpn-12345678 --subnet-id subnet-12345678
Create authorization rules to prevent split tunnel bypass
aws ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id cvpn-12345678 --target-network-cidr 10.0.0.0/16 --authorize-all-groups
Enable CloudWatch monitoring for VPN client connections
aws ec2 modify-client-vpn-endpoint --client-vpn-endpoint-id cvpn-12345678 --connection-log-options CloudwatchLogGroup=/aws/clientvpn/logs,Enabled=true
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of split tunneling for remote devices?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-7(7)?

Technical Implementation:

  • How is split tunneling for remote devices technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that split tunneling for remote devices remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-7(7)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?

Ask AI

Configure your API key to use AI features.