The present invention relates to remote access in digital networks, and more particularly to split tunneling in remote access to networks.
Digital networks have become the backbone of many organizations and enterprises. Within an organization, networks can be secured, and provide members of the organization secure access to resources within the organization.
In many cases, members of an organization wish to access these resources securely from remote locations, such as from home, or on the road.
One approach to providing such remote access is to provide members of he organization with remote access points (RAPs). These RAPs provide a secure connection to organization resources. The RAP is connected to a public network. In operation, the RAP establishes a secure tunnel over the public network which is terminated inside the organization firewall.
The RAP provides wired or wireless access through the tunnel, providing secure access to organization resources by routing all client network activity through the tunnel and through the infrastructure located at the organization.
But routing all client network activity through the tunnel and through the organization has performance penalties.
As an example, consider a RAP user at home, connected to the organization infrastructure. When the client connects to an organization e-mail server, that connection goes through the tunnel established by the RAP to the e-mail server in the organization.
But when the client uses a web browser to visit a news website such as cnn.com or slashdot.org, that request and subsequent traffic are also directed through the tunnel and through the organization's infrastructure.
To alleviate this issue the concept of a split-tunnel has developed. In split-tunnel operation, traffic to a set of addresses and/or services are directed through the tunnel, while traffic to other addresses and/or services are routed directly to the network the RAP is attached to. So in the case of a split-tunnel, when the RAP client accesses slashdot.org, that request is not sent through the secure tunnel, but directly out to the Internet.
One implementation of the split-tunnel mechanism is DNS based. As is known in the art, the DNS mechanism maps domain names, such as “slashdot.org” to an IP address, such as “216.34.181.45.” The split-tunnel mechanism recognizes a particular domain suffix, or pattern-matches part of the domain name, and routes matching DNS requests through the tunnel.
As an example, if an organization's domain name is “acmesprockets.com,” the split-tunnel mechanism would route all DNS requests containing “acmesprockets” or the suffix “acmesprockets.com” through the tunnel to the organization's DNS for resolution to an IP address.
Other DNS requests not matching the pattern are routed to the DNS associated with the Internet connection. DNS lookups through the tunnel which fail may also be re-routed to the DNS associated with the Internet connection.
In the example given, a DNS request for “mail.acmesprockets.com” will be routed through the tunnel, while a DNS request for “groklaw.net” will be routed to the DNS associated with the Internet connection.
A problem exists, however, in configuring the operation of the split-tunnel. The set of suffixes or pattern matches to be used in split-tunnel operation must be configured and managed for each and every RAP in use.
What is needed is a better way to manage and update split-tunnel DNS configurations.