In a race to provide employees first-time remote access to systems and applications, it is imperative that security is not left behind. Cybercriminals will be looking to exploit organizations that have relaxed their security controls in order to maintain their ongoing operations. For many organizations, traditional network protections came in the form of users within their office building utilizing an Internet connection protected by firewalls, intrusion prevention systems, web filters, etc. These users relied on workstations and endpoints protected by layers of anti-virus and anti-malware packages. When these users are forced to work from home, several of these layers are no longer present, and the ability to maintain full traffic flows back to the company’s central filtering point may be hampered by lack of capacity, thereby causing major slowdowns in network performance.
Optimizing your remote access
We would encourage organizations facing rapid turn-up or expansion of remote access capabilities to consider incorporating a minimum set of controls as outlined in this document. These controls are relatively easy to deploy, do not require a hardware investment, and go a long way in protecting users against some of the most common exploits. We encourage organizations to adopt a layered approach to their security controls and deploy what they can in each set of circumstances. The last thing anyone needs now is a data breach or ransomware attack.
Multi-factor Authentication (MFA)
Exposing a VPN or any type of login prompt to the Internet is risky. It opens the environment to login attempts from anyone attempting to gain unauthorized access through either brute force or using stolen credentials. Enabling multi-factor authentication requires users to not only enter their credentials but also requires confirmation outside of those credentials. Many forms of this exist, including a one-time password (OTP), key fobs, etc. Many of these providers offer cloud-based solutions and even include native integration with major brands of firewall products, eliminating the need to install an authentication server. Microsoft and Duo Security are currently offering free subscriptions that you can deploy very quickly to protect your outside login attempts with MFA.
Full Tunnel VPNs
Full tunnel VPN configurations bring ALL traffic from a remote user back to the headend, including Internet traffic. This allows the inspection and filtering of Internet-based traffic, simulating what would happen if the user were actually sitting in the facility behind the filtering device. The inverse of this is a split tunnel, in which a remote user’s Internet traffic does not traverse the VPN and is allowed to go directly through the user’s local Internet connection. The risk of split tunnels is the raw exposure users have to the Internet while, at the same time, having an open VPN connection back to the trusted network. If you don’t have enough bandwidth to bring all of your user’s Internet traffic through your headend appliance, consider some cloud offerings that could help provide some level of filtering.
Cisco Systems is currently offering its Umbrella cloud filtering solution free for 14 days (also can be expanded to 90 days) in response to COVID-19. Internet traffic in a split-tunnel configuration can still be protected through Umbrella.
You may also consider ramping up a cloud-based firewall to handle all of your remote access connections by taking advantage of the cloud provider’s bandwidth. You can often deploy the same type of on-premises firewall you have in operation today. Once deployed, a site-to-site VPN tunnel between the cloud firewall and your on-premises firewall would allow users to connect to internal resources without having to route all Internet traffic through your limited resources. Learn more from our blog post, Dealing with remote network connectivity during COVID-19.
VPN Traffic Filters
Once users are connected to the VPN, don’t let them go anywhere on the internal network. Identify the systems and ports they will need to access and filter traffic to only required flows. If you are forced to allow employees to connect with their home devices, we would recommend using terminal services or other forms of application/desktop publishing and restrict access to those ports. Allowing untrusted assets access to drive shares could be especially dangerous when considering the methods used by ransomware to spread throughout the network.
Vendor VPN Access
Vendors will be attempting to perform more work remotely, given the current environment. As a result, all sorts of systems may require modifications, including building access control systems, HVAC systems, etc. If vendors request remote access to your network, create a separate profile or access policy for each vendor. Assign the minimum level of rights and access required by the vendor. As much as possible, use the same controls for vendors as you do your employees. Controls could include individual user accounts with MFA.
Purchase a trusted certificate from a certificate authority (CA). Configure VPN connections to use a fully qualified domain name (FQDN) with the certificate. Without a trusted certificate, users may not be able to connect or will be presented with warning messages stating their connection may not be secure. Besides providing a secure connection, the use of an FQDN provides flexibility for load balancing or migrating VPN connections to a different headend. If users are provisioned with a hardcoded IP address, your ability to move their headend at a later time will be more involved.
Logging and Alerting
As more systems and applications are accessed by an increasing number of remote users, awareness of these connection events will be critical. Configure your VPN deployment to log remote access events that include usernames, public IP addresses, connection times and data volumes. Configuring event alerts for invalid login attempts will help identify a user connection problem or someone trying to gain unauthorized access. At the very least, review your connection logs daily, looking for suspicious activity such as invalid login attempts.
Most VPN headend products will be capable of supporting these controls and most will be able to go far beyond. Also keep in mind that the controls on endpoints play a major role in a layered defense, so do not overlook those products as part of your remote access strategy. Skipping security controls for your remote access connections could place your organization in a worse situation.
To learn more about how RSM can support your networking needs, please visit our website, call 800-274-3978, or email us. To learn more about the many ways RSM can help during the COVID-19 pandemic, please visit our Coronavirus Resource Center.