Written By; Eduardo Elvira
When this pandemic started, back in February, we experienced an overwhelming change in how we live our lives. Consequently, I couldn’t help but contemplate how these changes would impact cybersecurity, especially remote working. I found myself re-thinking concepts like split tunneling, and different options for its configuration. While it seems all clients will have their own unique requirements, the same conclusion applied to all of them: “All roads leads to Endpoint Security”.
Lets expand on this…
In order to do that, I need to explain split tunneling: when a user is working from home, split tunneling allows us to specify which traffic goes out directly to internet and which traffic is tunneled back to the company. Different vendors have different “VPN agents” but they are becoming much more than Virtual Private Network (VPN) agents. For now, let’s just focus on that functionality. The agent makes use of windows routes to specify what destinations should be tunneled. All of this is usually done at the HQ firewall, allowing granular configurations based on users, departments etc. It provides great flexibility, allowing us to include even FQDNs addresses but, the major advantage is that it sanitizes the traffic which goes through the tunnel, using different security features that we have back at the office: Antivirus, Content Filtering, Sandboxing, IPS, SSL Inspection, etc.
Hold on.. but what happens with all the traffic that doesn’t go back through the tunnel? What if the user downloads malware that captures information and sends it to the C&C? What if the user receives a link with a phishing web, what if…. Well, that is the first consideration. We need to ensure that this traffic is protected, somehow. Let’s be more specific about some of the options we have:
• Some endpoint security software could protect all that traffic that is not tunneled. This software could implement similar security functionalities as our Firewall back at the office. As you can guess, these are some of the other functionalities that the “Endpoints Agent” can now help with.
• Web proxy technologies are perfect to protect web browsing from different security threats. Ok, but we are talking about remote users working from home – not a problem, let’s put the web proxy in the cloud!
Different security vendors use their endpoint agents to send the internet traffic to their web proxies in the cloud, while company traffic is still tunneled through the VPN.
In my opinion both options work well to solve current challenges we are facing, using one or the other will depend on the current infrastructure in place, and the cloud approach of the organization.
Independent to the option you go for, visibility is key. With all users working remotely, security administrators need to have a clear idea of what is happening on the company computers, even if they are connected onsite or working from home. At the same time, we need to be able to respond to any breach and suspicious alerts, but EDR is a topic for a different day.
You could be using either a management console on the cloud or providing visibility to the endpoint agents through the DMZ with an on-premise solution, but in either case, integrations with your company SIEM will be important.
You might be thinking – those are two solutions for the main issue of having traffic going directly through the internet… but what if we tunneled all the traffic to the office, so we can use the company protections we already invested in, problem solved!! That is actually a valid solution, but unfortunately, not all companies will be able to implement it, mainly due to bandwidth limitations. All users internet traffic tunneled back through the company firewall will have an impact on the firewall performance and bandwidth of the internet line. Keep in mind that inbound traffic will increase, since tunneled traffic is first arriving through the external interface, firewall security checks, going back to internet, and back again to the remote users through the same port.
What about using the secondary internet line (if available) to receive the remote users tunnel traffic, and the primary to send the traffic to internet? Personally, I’ve never seen it implemented, it is just an idea which came to me while writing this blog. We can still find a bottle neck in the main internet line, but I think it could be useful in some specific scenarios…some food for thought.
We cannot forget the main purpose of the VPN client, it doesn’t matter if using SSLVPN (I like to call it TLSVPN now but anyway…) or IPSEC VPN, it is to protect and encrypt traffic. Both “protocols” are considered very secure, mainly because the ciphers they use are constantly evolving and improving. That means that they need to be configured properly, disabling the insecure ciphers etc.
- If the VPN protocols are very secure there is not much risk to consider with our users working from home, right?
If the VPN protocols are very secure there is not much risk with our users working from home, right? VPN protocols themselves are very secure and if configured properly and maintained, their risks are easily managed. Saying that, using laziness as an advantage, an experience bad actor would rather to avoid attacking the strong defenses and focus on identifying the weak points… in this case, the endpoint itself and his applications.
No matter which angle I look at this for this topic, everything brings me back to the endpoint security and its visibility.
At Ward Solutions we can help to maintain your VPN configuration securely and mitigate the risks. We can discuss the best options for your organization and provide the solutions not just for remote access but also for endpoint protection.
As always, Ward Solutions will continue to Assess, Protect, Detect & Respond to your cyber security needs. If you need to contact Ward Solution on any matter, then:
Contact your normal account manager for sales or email@example.com
Contact our orders department at firstname.lastname@example.org
Contact our service delivery office at email@example.com
Contact our Security Operations centre at SOC@ward.ie
Contact our Network Operation centre at NOC@ward.ie
Contact our finance department at Finance@ward.ie