Disable Split Tunnelling for VPN Connections
Ensure that devices accessing the organisation's network through VPN do not use split tunnelling for security.
Plain language
This control is about turning off a feature called 'split tunnelling' on Virtual Private Network (VPN) connections. If devices use split tunnelling, they can access the internet directly while also being on your company's network, which makes it easier for hackers to sneak in without being noticed. Disabling split tunnelling forces all internet traffic to go through the secure company network, which reduces the risk of cyber attacks.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Enterprise mobilityOfficial control statement
When accessing an organisation's network via a VPN connection, split tunnelling is disabled.
Why it matters
Allowing split tunnelling on VPNs can expose sensitive data and enable attacks via the user’s unsecured internet path while connected to the corporate network.
Operational notes
Audit VPN client/gateway configs to confirm split tunnelling is disabled; monitor for users enabling it and enforce via central policies/profiles.
Implementation tips
- The IT team should review the VPN settings for all devices accessing the company network. This involves checking each device's VPN configuration to ensure split tunnelling is disabled, meaning all data is routed through the company's secure connection.
- The IT manager should update company policies regarding VPN use. These policies should clearly state that split tunnelling is not allowed, and ensure that all staff who use VPNs are aware of this requirement.
- Network administrators need to configure the VPN server to prevent split tunnelling. They can do this by setting up routing rules that force all traffic through the VPN, effectively blocking split tunnelling capabilities.
- Staff training coordinators should ensure employees understand the importance of not using split tunnelling. This can include training sessions or informational documents explaining the security risks and how to use the VPN properly.
- The IT support team should regularly monitor network traffic for any signs of split tunnelling. They can use network logs to check that all traffic is going through the VPN, which might mean analysing logs weekly or using software tools to alert them to potential issues.
Audit / evidence tips
-
Askthe VPN configuration policy: Request to see the documented company policy that bans split tunnelling
Goodwill have a policy document that specifies 'split tunnelling is disabled' with a date it was last updated
-
Aska demonstration of the VPN settings: Request an example of a device connected to the VPN
Goodwould show all internet traffic being directed via the VPN with no exceptions
-
Asknetwork traffic logs: Request recent logs that show data traffic patterns
Gooddemonstrates that all logs show connections solely through the company’s VPN
-
Askevidence of staff training: Request records of any training sessions or communications about VPN usage policies
Goodshows documented training or communication about correct VPN use to employees
-
AskIT report on network monitoring activities: Request a summary of monitoring activities or reports on VPN use
Goodwill include documented checks that confirm no split tunnelling is occurring
Cross-framework mappings
How ISM-0705 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 6.7 | ISM-0705 requires organisations to disable split tunnelling when connecting to the organisation’s network over VPN | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.