SC.L2-3.13.7: Prevent Split Tunneling on Remote Devices
Split tunneling creates a security blind spot by allowing remote devices to connect to your system while simultaneously accessing external networks outside your control. SC.L2-3.13.7 requires you to block this dual-connection behavior to maintain visibility and prevent unauthorized data exfiltration. This control is critical for organizations with distributed workforces relying on VPNs and remote access.
What this means
Split tunneling occurs when a remote device establishes a VPN or secure connection to your organization while also maintaining a direct internet connection. This allows traffic to bypass your security controls—a user could access company resources through the VPN while simultaneously uploading sensitive data to an external cloud service via their direct connection. SC.L2-3.13.7 requires technical controls to prevent this dual-connection scenario, ensuring all remote device traffic flows through your monitored and protected network infrastructure.
How to comply
- 1.Configure VPN clients to prevent split tunneling through mandatory tunnel policies that force all traffic through the secure connection
- 2.Deploy endpoint detection and response (EDR) or mobile device management (MDM) solutions to detect and block unauthorized network interfaces on remote devices
- 3.Implement firewall rules that prevent devices connected via VPN from establishing simultaneous external connections
- 4.Enable VPN logging and monitoring to track connection attempts and identify split tunneling attempts in real time
- 5.Document your split tunneling prevention policy in your security policy framework and distribute to all remote workers
- 6.Conduct periodic testing to verify split tunneling prevention controls are functioning and cannot be easily bypassed
- 7.Provide security training to remote workers explaining why split tunneling is prohibited and how to report circumvention attempts
Evidence auditors look for
- VPN client configuration files showing split tunneling prevention enabled (e.g., AllowLocalSubnets=0 or equivalent settings)
- MDM or EDM policy screenshots demonstrating network interface restrictions on enrolled devices
- Firewall rule documentation and logs showing blocks of simultaneous external connections from VPN-connected devices
- VPN server logs and SIEM reports showing no evidence of split tunneling activity during audit period
- Network flow analysis or packet capture samples showing all remote device traffic routing through the VPN tunnel
- Security policy document referencing split tunneling prevention requirements and employee acknowledgment records
- Penetration test or vulnerability assessment report demonstrating failed attempts to establish split tunneling connections
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks VPN client configurations and flags policy deviations in real time, eliminating manual audits of split tunneling controls across your remote device fleet.
See how GRCWatch handles this control automatically
Start free trial