800-53|SC-7(7)

Title

PREVENT SPLIT TUNNELING FOR REMOTE DEVICES

Description

The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

Supplemental

This control enhancement is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.

Reference Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
3.1.3 Set 'no interface tunnel'CiscoCIS Cisco IOS 12 L2 v4.0.0
3.1.3 Set 'no interface tunnel'CiscoCIS Cisco IOS 16 L1 v1.1.0
3.1.3 Set 'no interface tunnel'CiscoCIS Cisco IOS 15 L2 v4.0.1
3.7 Ensure IP tunnels are not configured.UnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.820 - The system must not have unauthorized IP tunnels configured.UnixTenable Fedora Linux Best Practices v2.0.0
CASA-VN-000700 - The Cisco ASA VPN remote access server must be configured to disable split-tunneling for remote clients.CiscoDISA STIG Cisco ASA VPN v2r1
GEN007820 - The system must not have IP tunnels configured - '/sbin/ip tun list'UnixDISA STIG for Oracle Linux 5 v1r14
GEN007820 - The system must not have IP tunnels configured.UnixDISA STIG Solaris 10 SPARC v2r1
GEN007820 - The system must not have IP tunnels configured.UnixDISA STIG Solaris 10 SPARC v2r2
GEN007820 - The system must not have IP tunnels configured.UnixDISA STIG Solaris 10 X86 v2r2
GEN007820 - The system must not have IP tunnels configured.UnixDISA STIG Solaris 10 X86 v2r1
JUSX-VN-000028 - The Juniper SRX Services Gateway VPN must disable split-tunneling for remote clients VPNs.JuniperDISA Juniper SRX Services Gateway VPN v3r1
OL07-00-040820 - The Oracle Linux operating system must not have unauthorized IP tunnels configured.UnixDISA Oracle Linux 7 STIG v2r5
OL07-00-040820 - The Oracle Linux operating system must not have unauthorized IP tunnels configured.UnixDISA Oracle Linux 7 STIG v2r4
RHEL-07-040820 - The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.UnixDISA Red Hat Enterprise Linux 7 STIG v3r4
RHEL-07-040820 - The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.UnixDISA Red Hat Enterprise Linux 7 STIG v3r5
RHEL-07-040820 - The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.UnixDISA Red Hat Enterprise Linux 7 STIG v3r7
SOL-11.1-040490 - The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks - 'RestrictOutbound connections'UnixDISA STIG Solaris 11 X86 v2r4
SOL-11.1-040490 - The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks - 'RestrictOutbound connections'UnixDISA STIG Solaris 11 SPARC v2r2
SOL-11.1-040490 - The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks - 'RestrictOutbound connections'UnixDISA STIG Solaris 11 SPARC v2r4
SOL-11.1-040490 - The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks - 'RestrictOutbound limitpriv'UnixDISA STIG Solaris 11 SPARC v2r4
SOL-11.1-040490 - The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks - 'RestrictOutbound limitpriv'UnixDISA STIG Solaris 11 SPARC v2r2
SOL-11.1-040490 - The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks - 'RestrictOutbound name'UnixDISA STIG Solaris 11 SPARC v2r2
SOL-11.1-040490 - The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks - 'RestrictOutbound name'UnixDISA STIG Solaris 11 SPARC v2r4
SOL-11.1-040490 - The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks - 'RestrictOutbound name'UnixDISA STIG Solaris 11 X86 v2r4
SOL-11.1-040490 - The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks.UnixDISA STIG Solaris 11 X86 v2r4