Remote Security Series: Urgent Questions You’ll Face About VPN and Remote Access

 As the coronavirus has pushed almost all of the workforce remote, IT teams have been very busy making networks accessible in ways they weren’t previously. Most organizations plan for a consistent number of users remotely accessing the network. I doubt any planned for a nearly global work-from-home (WFH) event like COVID-19. 

As a result, I’ve worked with a few companies to help implement some very last-minute WFH solutions. I came away with a better understanding that there are some critical questions companies need to be asking (and answering) right now. 

Do you have enough VPN licenses? Imagine being told on a Friday afternoon that everyone will be working from home for the foreseeable future. One company’s VPN was licensed for 100 users but had over 250 working remotely. Their immediate answer was to open up remote desktop ports for each user’s office computer. Bad idea, especially considering a few passwords were very insecure, including “Winter2020!” and “Corona2020$.” 

Do you have enough bandwidth? Like VPN licenses, most companies have plenty of bandwidth to handle office data and the normal load of remote users with no issues. But with everyone working from home and many streaming media, this can cause a lot of strain on your network and lead to performance issues and outages.  

Is split tunneling appropriate for your company? In many cases, split tunneling is a great way to address the bandwidth issue. However, you lose some encryption as you now have only certain applications and network traffic going back through the encrypted VPN. This can lead to data being mishandled, so make sure you have safeguards in place to prevent that. Also, it’s a good idea to block streaming services through the VPN tunnel or on an endpoint protection product. 

Are your users trained to use the VPN? With the rush to get users setup, users who worked in the office every day are now trying to do the same type of work from home. This may be painfully slow if they are accustomed to 1000 Mbps in the office and get only 50 Mbps at home. Their fix will be to download files locally, work on them, and then upload them back when done (we hope). That raises a couple of other important questions…

Do they delete sensitive data from their computers when they are done?  Do they even know they should do this? If there’s even a speck of doubt, I strongly recommend putting data loss prevention (DLP) tools on the endpoints to ensure data isn’t leaving the network unsecured.

Do you have a ‘shadow IT’ problem you didn’t know about? Here’s an interesting issue I ran into recently: A company realized there were employees who had been working remotely for years, but who didn’t know how to use the VPN to access files they need on a daily basis. I decided they either have integrity challenges, or they have unauthorized side channels they may not know about. Let’s set aside the ethics issue and assume you suspect the latter. Now would be a good time to start monitoring traffic going out to popular file sharing services. In an incident response situation, these services create more areas to audit, and your price tag and scope just increased a lot. Imagine thinking you have 10 servers and 400 workstations to check and then adding every Dropbox, Box.net, Sync and OneDrive account and folder. 

Is your VPN network being monitored or logged? How many concurrent connections are allowed per user? This is important if a user is compromised and you allow unlimited connections per user. A malicious person can be connected to your network and it may go unnoticed. That’s why you should enforce MFA on your remote access solution.

Are user endpoints encrypted and patched? Your end users are now working on networks with potential default passwords and weak wireless security, which you probably can’t control. It is very important then that you harden as much as you possibly can control.  Once your WFH solutions are in place, make sure you remember to audit their security. Don’t let a rush to get users working remotely lead to costly misconfigurations and data breaches — just because they click a malicious COVID-19 update or decide to watch cat videos.

Does your business continuity plan reflect the new reality? Remote access to critical data should be a part of your business continuity plan. Being surprised by a hard limit of users on your VPN appliance can lead to a rush to provide accessibility, which in turn can lead to bad security decisions. Testing this plan will also show you areas that need to be addressed or that would be much easier to handle if you had known ahead of time. Also, ensure you have an updated remote access and VPN policy in place. Your end users will not always make smart security decisions, so ensure that they have a document to reference.

 The coronavirus emergency is putting all of us to the test, but especially the IT teams who shoulder the responsibility for keeping a remote workforce secure and productive. Make sure you have good answers to these questions and, if you need help, remember we are here for you.

 Raxis is always happy to discuss your unique circumstances and to offer options specific for your needs as well as your budget.

Contact Raxis for more information.

 Want to learn more? Take a look at the next part of our Remote Security Series.

Raxis X logo as document separator
Working dad holds baby while reading his laptop
PenTest As a SErvice

Penetration Testing as a Service doesn’t have to be a dressed up vulnerability scan. Raxis PTaaS delivers a solid pentest done right and when you need it.

Blog CAtegories