In a previous article we discussed how to help users connect to the internet. In this article we will discuss how to enable users to access corporate resources.
Corporate access is a more complex area to discuss as there are multiple technology options and scale limitations in play, along with cyber security considerations to keep in mind.
Here, we will look at specific technologies including Remote Access VPN, Virtual Desktop and Endpoint protection, all of which may be options for providing users with ‘secure’ access to privileged apps and data you might not expose on the public internet.
These technologies and issues affecting them also may require greater time, planning and budget in some cases, to address than general internet access. Again though, the advice provided here may be useful for beyond current events.
Remote Access VPN
Remote Access VPN (RA VPN) connectivity is one of the most widely deployed and well understood technologies for remote corporate connectivity, using either web-based SSL connectivity or VPN client software (e.g. Anyconnect, Globalconnect, built-in OS software, etc.).
RA VPN is also one of the most at-risk solutions in terms of scale limitations/issues under current mass usage circumstances, given it is typically only sized for an organization to provide to a limited portion of the workforce working whilst travelling or at home (in terms of capacity, performance and licencing). It is a technology capability where certain legacy cybersecurity architectural issues may be hampering delivery of services during mass usage.
Most customers that AARNet works with have some form of RA VPN services available for staff and students, for a range of use cases, from general access up to privileged access for secure administration type tasks (e.g. enabling Network Engineers to configure infrastructure, server admins to configure hosts, etc.).
Typically, these are hardware based, often on vendor firewall infrastructure, and deployed active/standby in multiple data centres to provide redundancy/resiliency. Licencing costs can be significant, and interface/bandwidth limitations will arise when usage scales up to meet the kind of demand we’re currently seeing from the push to remote working.
For example, even on platforms with 10G interfaces available, it would not be unusual to see hardware capabilities for VPN encryption to be less than 10G – this and interface bandwidth can be quickly consumed with 100s to 1000s of users connecting simultaneously.
Another typical feature of current deployments is disablement of ‘split-tunnel’ connectivity, due to cybersecurity concerns (e.g. preventing pivot-based attacks, etc.).
This of course means that once connected to the VPN, all traffic from user endpoints is routed back through the VPN and out of the corporate internet connection (e.g. general internet traffic along with corporate app/data traffic).
Whilst this may be preferable under normal circumstances, in mass usage scenarios, this has performance impacts on your users and your infrastructure.
Here’s what you can do:
- Consider allowing split-tunnel connectivity for ‘general’ access use cases (not high security administrative use cases) – only route organization-specific prefixes back to the tunnel – i.e. allowing ‘general’ internet-based traffic out via user broadband connections.
- Mitigate security concerns by adopting a ‘zero-trust’ type architecture at your organization – protect internal resources more effectively from all wired, wireless and VPN connected endpoints equally. Research into Zero Trust from organizations such as Forrester indicate internal managed workstations can be as much of a threat these days as BYOD hosts. Apply policies for additional inspections at edges of data centres for VPN IP ranges, and consider east/west traffic controls.
- Another possible cyber security mitigation to consider in zero trust is Endpoint protection, where security controls are embedded into workstations using a software client. Your organization may already have endpoint protection and anti-virus for managed devices for example, but may not yet have deployed zero-trust features here as yet, or endorsed/required usage on BYOD. Now may be the time to consider recommending and supplying endpoint software for users BYOD machines.
- Another common security concern is Data Loss Prevention capabilities when using split-tunnelling (or in general for that matter). DLP capabilities are often available in next-generation endpoint and VPN solutions for split tunnelling (e.g. Palo Alto Global protect, etc.)
- A cloud-based secure web gateway (SWG) capability may also be a useful tool for your organization (e.g. Cisco Umbrella, Zscaler Internet Access). Vendors providing these services in cloud can scale up to meet requirements, which means that this may be a better means of providing secure access to critical apps and data than VPN.
- If VPN is still the preferred option, consider deploying software VPN capabilities that can be scaled up or duplicated to scale-out. There are free-ware and low-cost options available that might suit your needs but this requires a small amount of research. Note: AARNet is currently investigating EduVPN for suitability for supporting our customers as an additional services capability.
- Also consider leveraging unused capabilities in your hardware (licence permitting) – e.g. switching to active/active mode for existing VPN gateways, looking at deploying VPN capability in other firewall or load balancer platforms that have these capabilities inbuilt but perhaps not deployed. Switching a small group of ‘power’ or tech-savvy users to an otherwise underutilized platform in your stack can reduce stress on primary platforms without heavy requirement for re-education of all users.
- Finally, if IP addressing availability for VPN user pools is a concern, now may be the time to re-examine and reconsider legacy approaches to private IP and NAT usage. It can and does work at scale and most users do not notice (e.g. a recent Aussie Broadband technical discussion indicated that when switching their users to CGNAT with opt-out options communicated, only 10% of customers opted out).
- Now may also be the time to examine or scale up your cloud hosting for heavily used applications. Many organizations we work with have already moved some of their higher criticality apps to Cloud and SaaS anyway. This should provide optimal access to these from general internet connections (e.g. leveraging internet service provider peering to clouds). If split-tunnelling, this approach can prevent that traffic from smashing your VPN infrastructure.
Remote Desktop and Virtual Desktop Infrastructure (VDI)
Some organizations already have significant deployments of VDI solutions (e.g. Citrix products, Terminal Services, etc.) to support providing predictable and/or secure access to applications and data for their users in otherwise lower-security environments (e.g. on non-University managed Hospital Networks, etc.). Other use cases include using VDI as secure ‘bastion’ or ‘jump-hosts’ for administering secure services.
We also know of customers with staff using Remote Desktop connectivity for remote access to their office or laboratory workstations, although many network and security staff would rather this wasn’t the case due to cybersecurity concerns.
Some general considerations for VDI and Remote Desktop:
- Many VDI vendors now offer cloud-based VDI solutions – this may be worth examining if you are starting to experience VDI scale limitations, again owing to cloud-provider scale up/scale out capabilities.
- A more secure means of supporting Microsoft Remote Desktop may be through deployment of Remote Desktop Gateway (RDG) services – these can be built up on VM infrastructure using Microsoft servers, and scaled up or instance-dedicated to different groups to spread load. This approach enables more secure access by allowing you to block general remote desktop access from outside of the corporate network, and use RDG services as a secure entry point for remote desktop users whilst managing scale.
- Again, consider usage for specific secure use cases or applications only, in order to limit scale and performance issues for your users. Does all internet access from them really need to be via this method?
Some other remote corporate access considerations
Multi factor Authentication
Many customers we work with are currently deploying multi-factor authentication (MFA, 2FA, etc.) for secure access to certain apps or remote corporate connectivity (including VPN and VDI). There has been a recent move toward hardware-based tokens for this (e.g. yubikey), but this may not scale for mass-usage. Consider hardware options for highest security use cases, and investigate software-based options (e.g. smartphone tokens) for general use if MFA is preferred for general access.
Endpoint Security and Antivirus
As mentioned with RA VPN, opening up the network to remote users brings some potential added risk. Some of this can be mitigated with enhanced endpoint security (software on remote user devices), in addition to ensuring the internal network has sufficient controls and inspections in place. Your users might not be on a fully managed device however, so now is a critical time to instruct them on how best to secure their devices – which software (e.g. Antivirus, anti-malware, etc.) you recommend and basic instructions on how to download and install it. Do you have a managed endpoint package that’s usually deployed to managed devices and can that be extended to their home devices?
Other useful links and resources
Author: Paul Italiano, AARNet Enterprise Services Technical Consultant – Networks
Disclaimer: This is general advice only and is not intended to be address individual circumstances. Each person should conduct their own evaluation of using any product or service.