Due to the COVID-19 virus, many of our clients are in the process of planning for the eventuality of supporting an entirely remote workforce. As your partner, we wanted to take a few moments and review some of the technical considerations that apply to supporting a large increase in remote connectivity.
Client based VPN
Organizations that already provide remote access via a VPN may find this the simplest path to allowing employees to work remotely. However, that does not mean that this option is without technical considerations.
- First, it is important to ensure that the firewall or VPN concentrator has enough capacity to support the full scale of VPN connectivity that will be required. VPN encryption is an intensive task and pushing a firewall near its limits of VPN connectivity may have a negative impact on performance overall.
- Next, be aware of nuances that exist in different manufacturers’ VPN licensing. If you are planning to deploy Chromebooks, for example, make sure you understand whether additional licenses are required for mobile devices to connect to the VPN.
- Finally, if you are planning to deploy VPN software to your users’ personal computers, be especially cautious of threats that may be introduced by those devices. We recommend limiting access from those devices to the minimum required to perform work functions. Strict IPS and anti-malware rules should also be applied to these kinds of VPN connections.
Remote Access Points (RAPs)
There is another solution that works quite well for teleworkers: remote access points. RAPs can be easily deployed to users’ homes or remote office locations and will automatically extend the corporate wired and wireless networks over a secure connection. While this is a more seamless method of connecting users remotely, it does require some planning.
- Proper infrastructure needs to be installed and configured in the data center. This part is already in place for many customers. But, as in the client VPN case, sizing needs to be considered.
- Lastly, make sure to consider the network architecture supporting the RAP implementation. We recommend that an IPS and/or next-generation firewall be placed between RAP users and the corporate network to protect against threats introduced by users connected over a RAP.
Virtual Desktops (VDI)
If you already have virtual desktop infrastructure, leveraging that deployment can drastically improve the administration, security and performance involved in supporting teleworkers. In order to use this environment, you will first need to think about how users will connect to it. Be aware that if you expose VDI interfaces to the public Internet, they will become a target for attacks. Consider implementing security controls like multi-factor authentication and strict application firewalls to mitigate this risk where possible. Utilizing VPNs or RAPs for those connections is more secure, but keep in mind many of the considerations above apply.
Secure Web Gateways
Secure web gateways are a relatively new technology originally designed to secure SAAS applications and web access for a distributed or remote workforce. One of the major benefits of these services is that they are cloud-based, so no equipment needs to be deployed either in the data center or remote offices. If your organization primarily uses SAAS applications, you may have already looked at SWGs as a path to securing them. Many people don’t realize, however, that secure web gateways often also include a remote access component. There are several benefits to using an SWG to address this immediate need:
- As a cloud-based service, they can enable remote access quickly with no additional hardware to purchase or install
- Capacity is typically not a consideration because SWGs can scale on demand
- Users are sites can be onboarded quickly without concern for where they are physically located
- Since SWGs are designed with security in mind, the remote access enabled by them may also provide secure segmentation and visibility
In summary, the main considerations in extending remote workers a faithful re-creation of the access that they may enjoy from the office reside around capacity of the infrastructure being utilized from outside the organization’s walls, and the security involved in ensuring that corporate resources remain protected, even in the face of user convenience during telework. Often, the specific trade-offs chosen when evaluating, selecting, implementing, and operating telework architectures revolve around the typical usage pattern of the workforce. When that usage pattern changes significantly, the implications to both user experience and the effectiveness of security controls can be broad.
Here are some additional links that may prove helpful:
Management Checklist for Teleworking Surge During COVID-19 Response from the Healthcare and Public Health Sector Council
Older document from Trello titled The Best Advice for Remote Work Success from 10 Global Teams
Cybersecurity and Infrastructure Security Agency’s Page on Coronavirus
There may be bad actors pretending to be government or other agencies acting during this crisis. You might also take a look at the WHO’s page on Cybersecurity.