Disable Split Tunnelling for VPN Connections
Ensure that devices accessing the organisation's network through VPN do not use split tunnelling for security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2021
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
When accessing an organisation's network via a VPN connection, split tunnelling is disabled.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about turning off a feature called 'split tunnelling' on Virtual Private Network (VPN) connections. If devices use split tunnelling, they can access the internet directly while also being on your company's network, which makes it easier for hackers to sneak in without being noticed. Disabling split tunnelling forces all internet traffic to go through the secure company network, which reduces the risk of cyber attacks.
Why it matters
Allowing split tunnelling on VPNs can expose sensitive data and enable attacks via the user’s unsecured internet path while connected to the corporate network.
Operational notes
Audit VPN client/gateway configs to confirm split tunnelling is disabled; monitor for users enabling it and enforce via central policies/profiles.
Implementation tips
- The IT team should review the VPN settings for all devices accessing the company network. This involves checking each device's VPN configuration to ensure split tunnelling is disabled, meaning all data is routed through the company's secure connection.
- The IT manager should update company policies regarding VPN use. These policies should clearly state that split tunnelling is not allowed, and ensure that all staff who use VPNs are aware of this requirement.
- Network administrators need to configure the VPN server to prevent split tunnelling. They can do this by setting up routing rules that force all traffic through the VPN, effectively blocking split tunnelling capabilities.
- Staff training coordinators should ensure employees understand the importance of not using split tunnelling. This can include training sessions or informational documents explaining the security risks and how to use the VPN properly.
- The IT support team should regularly monitor network traffic for any signs of split tunnelling. They can use network logs to check that all traffic is going through the VPN, which might mean analysing logs weekly or using software tools to alert them to potential issues.
Audit / evidence tips
-
Ask: the VPN configuration policy: Request to see the documented company policy that bans split tunnelling
Good: will have a policy document that specifies 'split tunnelling is disabled' with a date it was last updated
-
Ask: a demonstration of the VPN settings: Request an example of a device connected to the VPN
Good: would show all internet traffic being directed via the VPN with no exceptions
-
Ask: network traffic logs: Request recent logs that show data traffic patterns
Good: demonstrates that all logs show connections solely through the company’s VPN
-
Ask: evidence of staff training: Request records of any training sessions or communications about VPN usage policies
Good: shows documented training or communication about correct VPN use to employees
-
Ask: IT report on network monitoring activities: Request a summary of monitoring activities or reports on VPN use
Good: will include documented checks that confirm no split tunnelling is occurring
Cross-framework mappings
How ISM-0705 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 6.7 | ISM-0705 requires organisations to disable split tunnelling when connecting to the organisation’s network over VPN | |