The OEM alliance with Cisco has allowed us to communicate with companies around the world facing the same remote connectivity challenges. Remote access to VPNs has been around for a long time and the risks are always the same.
What changed today? These assets are more critical for many companies and it is essential that they remain available, that they can work with more users and that they do not suffer any loss of performance. Here I will discuss some universal recommendations that should be useful for companies in the new standard.
Business continuity and technology
Many companies have business continuity plans for their data centres and sites, have already invested in WAN technologies and redundant Internet connections, and have action plans and books in case something goes wrong in their traditional networks (see ITIL, ITSCM, etc.).
Some have even implemented SD WAN technologies to provide redundant connectivity, and have optimized application routing and management for their physical location, with employees sitting at their desks, receiving phone calls and performing security work across the enterprise and secure LAN segments.
Maybe you like him, too: [Public cloud protection for remote access to workstations].
Cloud-based SaaS solutions are increasingly accepted and should be available everywhere. However, many organizations still use traditional models for certain functions and rely on critical applications and services housed in the enterprise data center.
The reality of today
Prior to the VIDOC pandemic19 , many organisations saw remote access technology as a luxury and a means of giving their travelling employees easy access to company assets, serving a small group of employees who can work remotely, simply for overtime, or at best as a way for the company to continue working with core staff for a short period of time.
But today we live in a different reality. Remote access technologies have become the way companies carry out their daily tasks. Some companies even challenge their old methods and recognize that the majority of their workforce can actually work from anywhere, and perhaps shift operating costs to a new model where they can reduce their physical property. Remote access technologies have become a real extension of the company network, giving employees access to resources essential to the business.
Maybe you’d like that, too: [An unprecedented journey through the landscape with the threat]
This means that the negative impact on the availability of remote access technologies has shifted from inconvenience to disruption and interruption of service.
VPN Infrastructure Security
To ensure continuous availability of critical services and protection against service disruptions, we recommend a hybrid DDoS solution that combines both in-the-cloud DDoS protection and local protection to provide the best possible attack coverage with minimal delay.
On-site detection and correction prevents application and protocol specific attacks from being interrupted and automatically redirected to the cloud as attacks increase and the risk of network congestion increases. Radware provides keyless protection against SSL-based DDoS attacks by protecting user privacy, eliminating delays, and requiring access to the organization’s encryption keys.
For protection against VPN infrastructure compromises, we recommend
- Update VPN hubs, network infrastructure devices and remote control devices with the latest software patches
- Implement multi-factor authentication (AMF) on all VPN connections to increase security. In addition, organizations must enforce a strict password policy and mandate that prohibits the reuse of passwords for other purposes or on other websites. Cisco makes this feature available through Duo.
- Regular resetting of administrative authorisations relating to potentially affected VPNs.
- Implement granular access control in VPN solutions to restrict access based on user profiles.
- Back up the client’s devices before accessing internal resources.
- If possible, restrict IP access to VPN hubs to the geographic locations where your external staff live.
Don’t forget the ADC!
So far we have talked about protecting remote access and preventing the impact of unauthorized traffic on the VPN remote access infrastructure, but we must not forget that we are increasingly able to meet the growing demands of legitimate users. ADC technologies can be used to scale SSL VPN hubs horizontally to improve performance and remotely control more incoming access sessions.
Traffic patterns of user VPN sessions can vary greatly depending on the use of the application, large file transfers, backups, important patch downloads, etc. In addition, SSL VPN connections usually result in a single encrypted tunnel between the client software running on the user’s device and the VPN hub.
Maybe you like him, too: COWID-19 shows how important it is to have protection].
From an external perspective, the traffic generated by the connected laptop or mobile device during a Remote Access session may resemble a Layer 4 connection. This connection remains sticky and generally cannot be moved dynamically to the new hub without affecting the user experience.
The ADC can perform health checks to monitor the performance, number of connections and overall availability of SSL VPN devices and dynamically assign new incoming SSL VPN connections to the hub pool. As a result, incoming clients end up at a VPN endpoint that does not have the bandwidth and is overloaded enough to handle a new remote access connection.
It is also an external way to provide high availability to your VPN infrastructure for remote access; the best approach is to create an infrastructure that has enough hubs to handle the expected capacity and an additional backup module to support incoming connections in case another device in the pool fails (usually called N+1).
For more information, read Radware’s Global Application and Network Security Report 2019-2020.
Download now.work from home new normal,permanent work from home