Level 5 CMMC - CMMC Practices

SC.3.184  

Reference: CMMC 1.02

Family: SC

Level Introduced: 3

Practice:
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

CMMC Clarification:
Split tunneling for a remote user utilizes two connections: accessing resources on the organization’s network via a VPN and simultaneously accessing an external network such as the public network or the Internet. Split tunneling introduces a vulnerability where an open unencrypted connection from the public network could allow an adversary to access resources on the network. As a mitigation strategy, the split tunneling setting should be disabled on all devices so that all traffic, including traffic for external networks or the Internet, goes through the organization’s VPN.

Example
You are an IT administrator at your organization responsible for configuring the network to disallow remote users from using split tunneling. You perform a review of the configuration of remote user laptops. You discover that remote users are able to access files, email, database and other services through the organization’s VPN connection. At the same time, remote users are able to access resources on the Internet through their connection to the Internet. You change the hardening procedures for the company’s laptops to include changing the configuration setting to disable split tunneling. You test a laptop that has had the new hardening procedures applied and verify that all traffic from the laptop is now routed through the VPN connection.

3.13.7

Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

Discussion:
Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling allows unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement is implemented in remote devices (e.g., notebook computers, smart phones, and tablets) through configuration settings to disable split tunneling in those devices, and by preventing configuration settings from being readily configurable by users. This requirement is implemented in the system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling.

Source: NIST Special Publication 800-171 Rev. 2

SC-7 (7)

BOUNDARY PROTECTION | PREVENT SPLIT TUNNELING FOR REMOTE DEVICES

Description:
The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

Supplemental Guidance:
This control enhancement is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02