One of the biggest challenges to ensuring business continuity with staff working from home is the networking domain, given the network is the primary enabler for remote working. AARNet staff are experienced with working remotely, and we provide services (including Zoom) that are relied upon to support remote working.
In a previous article we discussed how to help users connect to the internet. In this article we will discuss how to enable users to access corporate resources.
Corporate access is a more complex area to discuss as there are multiple technology options and scale limitations in play, along with cyber security considerations to keep in mind.
Here, we will look at specific technologies including Remote Access VPN, Virtual Desktop and Endpoint protection, all of which may be options for providing users with ‘secure’ access to privileged apps and data you might not expose on the public internet.
These technologies and issues affecting them also may require greater time, planning and budget in some cases, to address than general internet access. Again though, the advice provided here may be useful for beyond current events.
Remote Access VPN (RA VPN) connectivity is one of the most widely deployed and well understood technologies for remote corporate connectivity, using either web-based SSL connectivity or VPN client software (e.g. Anyconnect, Globalconnect, built-in OS software, etc.).
RA VPN is also one of the most at-risk solutions in terms of scale limitations/issues under current mass usage circumstances, given it is typically only sized for an organization to provide to a limited portion of the workforce working whilst travelling or at home (in terms of capacity, performance and licencing). It is a technology capability where certain legacy cybersecurity architectural issues may be hampering delivery of services during mass usage.
Most customers that AARNet works with have some form of RA VPN services available for staff and students, for a range of use cases, from general access up to privileged access for secure administration type tasks (e.g. enabling Network Engineers to configure infrastructure, server admins to configure hosts, etc.).
Typically, these are hardware based, often on vendor firewall infrastructure, and deployed active/standby in multiple data centres to provide redundancy/resiliency. Licencing costs can be significant, and interface/bandwidth limitations will arise when usage scales up to meet the kind of demand we’re currently seeing from the push to remote working.
For example, even on platforms with 10G interfaces available, it would not be unusual to see hardware capabilities for VPN encryption to be less than 10G – this and interface bandwidth can be quickly consumed with 100s to 1000s of users connecting simultaneously.
Another typical feature of current deployments is disablement of ‘split-tunnel’ connectivity, due to cybersecurity concerns (e.g. preventing pivot-based attacks, etc.).
This of course means that once connected to the VPN, all traffic from user endpoints is routed back through the VPN and out of the corporate internet connection (e.g. general internet traffic along with corporate app/data traffic).
Whilst this may be preferable under normal circumstances, in mass usage scenarios, this has performance impacts on your users and your infrastructure.
Here’s what you can do:
Some organizations already have significant deployments of VDI solutions (e.g. Citrix products, Terminal Services, etc.) to support providing predictable and/or secure access to applications and data for their users in otherwise lower-security environments (e.g. on non-University managed Hospital Networks, etc.). Other use cases include using VDI as secure ‘bastion’ or ‘jump-hosts’ for administering secure services.
We also know of customers with staff using Remote Desktop connectivity for remote access to their office or laboratory workstations, although many network and security staff would rather this wasn’t the case due to cybersecurity concerns.
Some general considerations for VDI and Remote Desktop:
Multi factor Authentication
Many customers we work with are currently deploying multi-factor authentication (MFA, 2FA, etc.) for secure access to certain apps or remote corporate connectivity (including VPN and VDI). There has been a recent move toward hardware-based tokens for this (e.g. yubikey), but this may not scale for mass-usage. Consider hardware options for highest security use cases, and investigate software-based options (e.g. smartphone tokens) for general use if MFA is preferred for general access.
Endpoint Security and Antivirus
As mentioned with RA VPN, opening up the network to remote users brings some potential added risk. Some of this can be mitigated with enhanced endpoint security (software on remote user devices), in addition to ensuring the internal network has sufficient controls and inspections in place. Your users might not be on a fully managed device however, so now is a critical time to instruct them on how best to secure their devices – which software (e.g. Antivirus, anti-malware, etc.) you recommend and basic instructions on how to download and install it. Do you have a managed endpoint package that’s usually deployed to managed devices and can that be extended to their home devices?
Author: Paul Italiano, AARNet Enterprise Services Technical Consultant – Networks
Disclaimer: This is general advice only and is not intended to be address individual circumstances. Each person should conduct their own evaluation of using any product or service.
May 25, 2020