Author's Note: This was an article I previously wrote for the Dasher Technologies blog on May 7th, 2020. As Dasher has been acquired by Converge Technology Solutions, the Dasher blog may be removed in the future; I am posting this here for archival purposes (with permission).
(Original Blog Post) Author’s Note: When this idea was originally suggested, there was debate between (Dasher CTO) Chris Saso and I about who the author of the song that I reference in the title is Bruce Springsteen or Edwin Starr. You be the judge – before you google for the answer!
With the explosive growth of working from home, many organizations have had to dramatically scale up their Client VPN infrastructure to accommodate the increased demand of remote workers. Unfortunately, with this move towards a remote workforce, the security posture of many organizations has weakened. In this blog, I’d like to discuss some of the increased risks associated with Client VPN, and how to address them.
The Risks of Client VPN
There are several risks associated with most Client VPN deployments, the biggest of which is the use of split tunneling. Split tunneling, for those who aren’t familiar with it, is the practice of directing a VPN client to only send traffic destined for certain IP addresses through the VPN, allowing the rest of the traffic to be transmitted via the Client’s local internet connection. Split tunneling improves internet access performance, as the Client’s internet traffic doesn’t have to “boomerang” through the organization’s firewall.
The security risk of this deployment method is simple to define – because the Client’s internet traffic is no longer traversing the company’s firewall, security policies cannot be applied. Therefore, split tunneling could result in abuses of acceptable use policies, such as streaming movies, or visiting sites otherwise considered “not safe for work”, or it could lead to much more significant organizational issues, such as infection by malware. In addition, allowing some traffic to not be subjected to the encryption associated with the VPN could increase the risk of eavesdropping when the Client is using an unsecured wireless work, such as at a coffee shop.
The Simple Fix Isn’t So Simple
Most Cybersecurity engineers would say the fix to the split tunnel issue is as straightforward as it sounds – force all traffic back to the organization’s firewall, so security policies can be applied as they would be for users in the office. Unfortunately, just like many security-related implementations, the tradeoff to additional security can often be a reduction in performance. While more and more residential internet customers are able to have access to Gigabit internet speeds, most business are still running business-grade internet services well under Gigabit speeds, and these business feeds still need to ensure sufficient bandwidth available for customer-facing services. Additionally, with the increased use of web meetings and remote VoIP softphones, additional latency introduced by having to VPN back to a company firewall, then go out the internet, can cause a poor end-user experience.
Is VPN Good For (Absolutely) Nothing?
The news is not all bad, it turns out a well-architected Client VPN solution is possible! The rise of cloud computing enables a scalable security solution that a savvy security engineer can adopt for their company. Simply put, the solution consists of one or more virtual firewalls in the cloud, configured with the same industry standard best-practice-based authentication mechanisms and security policies used by the corporate physical firewalls. The virtual firewalls are connected to the corporation through one or more site-to-site tunnels. In this scenario, the concerns of bandwidth utilization and performance to reach SaaS applications and other cloud services is minimized, because most cloud providers are either hosting or peered with these cloud-based security solutions.
Depending on the organization, though, this type of “do it yourself” deployment can take a lot of administrative overhead, especially if the remote workforce is geographically distributed in such a way that multiple appliances in multiple cloud regions are required for good performance.
The newest trend to support secure remote access for Client VPN, while also extending the security boundary to include the Client machine wherever it is located, is known as Secure Access Service Edge, or SASE (pronounced “sassy”) for short. These solutions take the guesswork and administrative overhead out of deploying a distributed Client VPN solution, by orchestrating the back-end processes, and providing consistent security between an organization’s on-premises security appliances and the cloud security provided through the SASE platform. Products such as Palo Alto Networks’ Prisma Access, NetSkope’s Next Gen SWG, and Cisco’s Umbrella Roaming provide a fast, scalable, and “always-on” VPN solution for Client connectivity and are worth careful consideration as an organization evaluates its remote connectivity strategy.