No dual-homed laptops or "swing" devices
Demonstrate that organizational endpoints are technically prevented from maintaining simultaneous connections to trusted corporate networks and untrusted external networks, and that monitoring capabilities detect and remediate dual-homed configurations.
Description
What this control does
This control prohibits endpoints from simultaneously connecting to both trusted corporate networks and untrusted external networks (e.g., connecting via VPN while also connected to a public Wi-Fi hotspot). Dual-homed configurations create network bridging risks where an attacker on the untrusted network can pivot through the device to access corporate resources. Technical enforcement typically includes host-based firewall rules, network access control policies, split-tunneling restrictions, and endpoint detection agents that terminate VPN sessions when multiple active network interfaces are detected.
Control objective
What auditing this proves
Demonstrate that organizational endpoints are technically prevented from maintaining simultaneous connections to trusted corporate networks and untrusted external networks, and that monitoring capabilities detect and remediate dual-homed configurations.
Associated risks
Risks this control addresses
- Attackers on untrusted networks pivot through dual-homed devices to access corporate network segments and bypass perimeter controls
- Malware on public networks traverses dual-homed endpoints to establish persistent footholds in corporate infrastructure
- Data exfiltration occurs through the untrusted network interface while the trusted connection masks the traffic from corporate monitoring
- Lateral movement from compromised public Wi-Fi networks to corporate assets via bridged network connections
- Bypass of security inspection functions such as IDS/IPS, DLP, and web filtering when split-tunneling is improperly configured
- Unintentional network bridging by users connecting personal hotspots or secondary adapters while on VPN
- Compliance violations when regulated data traverses uncontrolled network paths through dual-homed endpoints
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's policy documentation prohibiting dual-homed endpoints and defining acceptable network connection scenarios.
- Collect technical configuration standards for VPN clients, endpoint agents, and host-based firewalls that enforce single-path connectivity.
- Export endpoint security agent configurations and identify rules that detect or prevent multiple simultaneous network connections.
- Select a representative sample of 20-30 endpoints across user populations (remote workers, executives, IT administrators, contractors) for technical validation.
- Perform live testing by attempting to establish VPN connections while simultaneously connected to secondary networks (Wi-Fi, Ethernet, mobile hotspot) on sampled devices.
- Review endpoint detection and response (EDR) or network access control (NAC) logs for the past 90 days to identify dual-homed connection attempts and enforcement actions taken.
- Interview 3-5 system administrators and network engineers to verify monitoring procedures, alert thresholds, and remediation workflows for dual-homed violations.
- Validate that VPN configurations explicitly disable split-tunneling or include technical controls that force all traffic through the corporate tunnel when connected.
Where this control is tested