Protecting Remote Connectivity in Today’s ‘New Normal’
Through our OEM alliance with Cisco, we have had the opportunity to speak with businesses all around the world who are experiencing the same hardships around remote connectivity. Remote access VPN have been around for a long time, and the risks have always been generally the same.
So what’s different today? These assets are more important to the operation of many businesses and it is imperative that they remain available, have the capacity to handle a greater number of users, and do not slow down productivity. Here, I’ll discuss some universal recommendations that should be helpful to businesses in “the new normal.”
Business Continuity & Technology
Lots of companies have business continuity plans that cover their data centers and brick-and-mortar locations, have already invested in redundant WAN and Internet connectivity technologies and have action plans and “run books” for when things go wrong with their traditional networks (see ITIL, ITSCM, etc.).
Some have even adopted SD-WAN technologies to ensure backup connectivity exists and that routing and application steering has been optimized for their physical locations with the assumption that their workforce will be sitting at their desks, taking phone calls, and performing work in the safety of corporate-owned and protected LAN segments.
[You may also like: Securing the Public Cloud When Your Workforce is Remote]
Cloud-based SaaS solutions have grown in adoption, and should be accessible from anywhere, but there are a lot of businesses that still employ traditional models for some functions and rely on business-critical applications and services that reside within corporate data centers.
Before the COVID-19 pandemic, many organizations may have viewed remote access technologies as a luxury and a way to offer their employees convenient access to company resources “on the go”, catering to a small subset of employees that could work remotely, were just for “after hours” support personnel, or at best were a way for the business to continue operations with a skeleton crew for a short period of time.
Today, however, we are living in a different reality. Remote access technologies have become the way that businesses operate their day-to-day functions. Some companies are even questioning their old methods and realizing that a lot of their workforce really can work from anywhere, and maybe operating costs can be shifted to support a new model where they can reduce their physical real estate. Remote access technologies have become a true extension of the corporate network so that employees have access to critical resources so the business can operate.
[You may also like: Navigating the Threat Landscape in Unprecedented Times]
This means that the negative impacts to the availability of remote access technologies have moved from the realm of “inconvenience” to “business/service-impacting outage.”
Protecting VPN Infrastructures
For continued availability of critical services and protection against service disruption, we recommend a hybrid DDoS protection solution combining both cloud-based DDoS protection services and on-premises protection to provide the best attack coverage with low latency.
On-premise detection and mitigation will prevent disruption from application and protocol specific attacks, while providing automated diversion to the cloud as attack volume grows and the risk of network saturation increases. Radware provides keyless protection against SSL-based DDoS attacks that preserve user privacy, add no latency, and require no access to the organization’s encryption keys.
To protect against compromise via VPN infrastructures, we recommend:
- Updating VPN concentrators, network infrastructure devices, and devices being used to work remotely with the latest software patches.
- Implementing multi-factor authentication (MFA) on all VPN connections to increase security. Additionally, organizations should enforce strong password policies and mandate against the reuse passwords for other purposes or sites. Cisco provides this feature via Duo.
- Regularly reset administrative credentials associated with potentially affected VPNs.
- Implement granular access controls in VPN solutions to limit the access based on user profiles.
- Ensure and enforce the security posture of client devices before allowing access to internal resources.
- If possible, limit IP access to VPN concentrators to geographic locations where your remote workforce lives.
Don’t Forget About ADCs!
Up to this point, we have talked about securing remote access and preventing illegitimate traffic from impacting remote access VPN infrastructures, but we cannot forget about increasing capacity to handle the growing needs of legitimate users. ADC technologies can be used to horizontally scale SSL VPN concentrators to enhance performance and to service more incoming remote access sessions.
Traffic patterns on user VPN sessions can vary widely based on application usage, large file transfers, backups, large patch downloads, etc. Furthermore, SSL VPN connections generally result in a single encrypted tunnel from the client software running on a user device to a VPN concentrator.
[You may also like: COVID-19 Shows the Importance of Protecting Availability]
From an external perspective, the traffic generated from a connecting laptop or mobile device can appear as a single Layer 4 connection for the duration of the remote access “session.” This connection remains “sticky” and generally cannot be dynamically shifted to a new concentrator without impacting user experience.
An ADC can perform “health checks” to monitor the performance, connection count, and general reachability of SSL VPN devices and dynamically assign new incoming SSL VPN connections to a “pool” of concentrators. This ensures that incoming clients land on a VPN endpoint that is not reaching capacity and has enough overhead to handle the new remote access connection.
This is also an external way to provide high availability to your remote access VPN infrastructure; a best practice is to build an infrastructure that has enough concentrators to handle the expected capacity, plus one additional backup unit to “take over” for incoming connections if another device in the pool should fail (commonly referred to as “N+1”) .