What is the security risk inherent in creating a split tunnel VPN, where some traffic is routed over the VPN tunnel and the rest over a direct internet connection?
A.
The VPN traffic is exempted from any security policies configured on the direct internet uplink router or appliance.
B.
You no longer have the visibility required to make decisions on those traffic flows that are going directly out to the internet.
C.
A split ACL list, which means only half the rules will be enforced.
D.
An issue between the built-in client VPN agent on most modern operating systems and a third-party VPN gateway upstream.
The correct answer is B . The core security risk of a split tunnel VPN is loss of visibility and consistent inspection for the traffic that bypasses the tunnel and goes directly to the internet. Zscaler’s Secure Mobile Access reference architecture explains that traditional VPNs backhaul traffic to a central data center for security through a legacy appliance stack, while modern remote work leads to a lack of visibility into what users are accessing and how the network is performing when the organization no longer controls the path.
ZIA guidance similarly states that user traffic must be forwarded to the nearest ZIA Service Edge so it can be inspected and either forwarded or blocked according to policy, and that the same authentication and policy should follow the user wherever they are. If some traffic exits directly to the internet outside that enforcement path, the organization loses the visibility and control needed to make reliable policy decisions on those flows. That is the real Zero Trust concern with split tunneling. It creates blind spots rather than a uniformly enforced security model. Therefore, the best answer is loss of visibility into traffic going directly to the internet .
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit