I am currently working with a client in the healthcare sector. Part of the work will involve contact with sensitive patient health information (PHI). The client uses AWS and keeps their sensitive data inside of a Virtual Private Cloud.
It is required that I connect to a VPN Server to get access to their AWS services. They use OpenVPN client.
But they have the VPN configured so that when I'm connected to it, all of my internet traffic gets tunneled through the VPN server, not just the traffic bound for their network resources. This slows my internet connection down to about 1.5 Mbps down, which is not ideal.
I brought it up with them and they said "the security rules prevent anyone from any IP address except the VPN endpoint from getting any information about our instances.". But unless I'm missing something, that doesn't really answer my question.
Are there any real security advantages for them to set up their VPN this way?
Best Answer
You (basically) have two modes when connecting to a VPN:
full tunnelling: all traffic passes through the VPN tunnel; this is the setup your customer uses
split tunnelling : only the traffic destined to the remote network passes through the VPN, other traffic (internet) doesn't
There are two risks involved with split tunnelling:
1 - your internet connection can be compromised and an attacker can gain access to the remote network through your machine. You're connection may be secured, or not. The customer has no way to control the security of your internet connection, so they make sure you don't have access to the internet, apart from the connection they do control, while you are connected to their network.
2 - as explained by Ron Maupin in a comment, a user inside the remote network can bypass internal security to gain Internet access through your VPN connection. They may use this to browse dangerous sites or to export sensitive data.
As a side note, some VPN clients also perform custom checks on your machine, typically to see if there's anti-virus software and if it is up to date, prior to granting access to corporate resources.