Digital networks have become the backbone of many organizations and enterprises. Within an organization, private networks can be secured with provisions that securely provide members of the organization access to resources within the organization.
In many cases, members of an organization wish to access these resources securely from remote locations, such as from home, or on the road.
One approach to providing such remote access is to provide members of the organization with remote access points (hereinafter singularly referred to as a “RAP”). Although connected to a public network, such as the Internet for example, a RAP provides a secure connection to organization resources. In operation, a RAP establishes a secure tunnel over the public network which is terminated inside the organization firewall.
The RAP provides wired or wireless access through the tunnel, providing secure access to organization resources by routing all client network activity through the tunnel and through the infrastructure located at the organization.
But routing all client network activity through the tunnel and through the organization has performance penalties.
As an example, consider a RAP user at home, connected to the organization infrastructure. When the client connects to an organization e-mail server, that connection goes through the tunnel established by the RAP to the e-mail server in the organization.
But when the client uses a web browser to visit a news website such as “cnn.com” or “slashdot.org” for example, that request and subsequent traffic are also directed through the tunnel and through the organization's infrastructure.
To alleviate this issue the concept of a split-tunnel was developed. For split-tunnel operations, certain traffic directed to a set of addresses and/or services are directed through the tunnel, while traffic to other addresses and/or services are routed directly to a public network that the RAP is attached to. So in the case of a split-tunnel, when the RAP client accesses slashdot.org, that request is not sent through the secure tunnel, but directly out to the Internet.
One implementation of the split-tunnel mechanism is Domain Name System (DNS) based. As is known in the art, the DNS mechanism maps domain names, such as “slashdot.org” to an IP address, such as “216.34.181.45.” The split-tunnel DNS mechanism is configured to recognize a particular domain suffix, or pattern matches part of the domain name within a DNS request, and upon detecting a match, routes the DNS request through the tunnel.
As an example, if an organization's domain name is “acmesprockets.com,” the split-tunnel DNS mechanism would route all DNS requests containing “acmesprockets” or the suffix “acmesprockets.com” through the tunnel to the organization's DNS for resolution to an IP address. However, other DNS requests not matching the pattern “acmesprockets” would be routed to the DNS associated with the Internet connection. Any failed DNS lookups based on DNS requests through the tunnel may also be re-routed to the DNS associated with the Internet connection.
In the example given, a DNS request for “mail.acmesprockets.com” will be routed through the tunnel, while a DNS request for “groklaw.net” will be routed to the DNS associated with the Internet connection.
A problem exists, however, in configuring the operation of the split-tunnel. The set of suffixes or pattern matches to be used in split-tunnel operation must be configured and managed for each and every RAP in use.