By Mark Webb-Johnson, Chief Technology Officer, Network Box
Given the volatility of the epidemic, we would like to highlight the security issues for remote working and ways we can address these problems.
Network Level Threats
To provide effective access control, we need to differentiate between our staff working outside the office, connecting over the Internet, and other Internet connections (both malicious and legitimate). We also need to protect plaintext application protocols from eavesdropping and tampering while traveling over the public Internet. Typical source IP address or network segment firewall restrictions can’t do this.
The obvious solution to these problems is Virtual Private Network (VPN) technology. Of the options available, SSL (Secure Sockets Layer) VPNs are the clear winner for this type of application. Unlike more complex protocols such as IPsec (Internet Protocol Security), SSL VPNs operate over NAT (Network Address Translation) connections with just a single TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) port required to be opened.
They use the same encryption technologies as those used by your online bank. Authentication is best implemented at several levels:
Base network packet level
Using a TLS key and providing a very simple authentication key shared amongst all users effectively differentiates US from THEM, and protects against Denial of Service and other style attacks.
SSL certificates, authenticating the machines
Typically, both client and server-side certificates are used, so both ends of the connection can identify and authenticate each other.
Using the traditional username+password method, user authentication securely identifies the user at the client-side of the connection (the worker at home). You can typically connect this to your central authentication system to avoid maintaining and controlling separate passwords.
Dual Factor Authentication
Running on top of user authentication can supplement the ‘something I know‘ of username+password with a ‘something I have‘ dual-factor authentication token. This process can vastly improve the security of the user authentication mechanism. Unlike a rarely changed password, dual-factor tokens typically change each time they are used or every 30 seconds.
Once the VPN connection has been established, the user, the user’s workstation, and the VPN gateway that the user is connected to are all authenticated. Any traffic passing through VPN is securely encrypted against eavesdropping and protected against tampering and replay style attacks. Unlike web gateway style SSL systems, true SSL VPNs connect at the layer 3 network level – enabling both source IP and network segment based access control.
While split-tunnel technology (where traffic destined for the office systems is directed through the VPN, but other general traffic goes to/from the Internet directly) is available, Network Box Security Response does not recommend this approach.
With today’s high-speed Internet connectivity, it is generally safer to direct ALL traffic through the VPN tunnel. This way, the same gateway-based protection systems and policies available to workers in the office can be applied to workers connecting from home or on the road:
- The same anti-malware
- The same URL content filtering policies
- The same firewall policies and controls
The Infected Workstation Threat
It is good practice to impose the same policies and restrictions on remote workstations as for those workstations in the office. That usually means providing remote workers with a dedicated laptop for office connections. The extra costs involved are generally far less than the costs of a security breach/incident from a less protected workstation, and worker satisfaction is higher.
With VPN connections made at the network level, the same tools and procedures for automated management, application deployment, and updates can be applied as for office workstations. Just beware that network bandwidth may be limited and latency greater. Keeping applications local or using thin client web-based applications can help with this.
Face to Face Verification
When working in the office, we are used to having face-to-face meetings. Instructions are often verbal and easily verified. There is also something inherently ‘human’ about seeing someone’s face and talking to them directly that can never be replicated over email or text messaging. Think about how often you see rude or unacceptable comments/behavior behind online communications’ anonymity versus the last time someone was rude/unacceptable to your face.
However, we do need to be concerned with how that lack of face-to-face contact affects our security. It is far easier to impersonate someone online than in person.
One solution is to use authenticated communications (in particular for financial or otherwise sensitive messages). Email is notoriously insecure and trivial to impersonate someone, but security can be strengthened using digital signatures. While complex to set up and often hard for users to understand, PGP/GnuPG (Pretty Good Privacy/GNU Privacy Guard) and SSL certificates offer two ways of doing this for more sophisticated users.
An alternative is implementing an alternative verification mechanism using natively secure messaging systems such as telephone calls, instant messaging (WhatsApp, line, etc.), or video calls. Make sure the procedures are in place to verify all potentially damaging instructions via a different mechanism to that in which the instructions are first received. In this way, you can protect yourself against phishing and other fraudulent financial attacks.
Building on SSL VPN’s core technology, you can safely and securely integrate remote workstations and workers into your office and data centre systems. Plan for the worst, and make sure that you have disaster recovery systems in place to facilitate business continuity and working from home, even if your workers are currently in the office.
Video conferencing systems are now easy to deploy, cost-effective, and widely available – Skype, GoToMeeting, Zoom, Microsoft Teams, WhatsApp, etc. No matter the technology, encourage and facilitate their use within your organization. They can help bring local and remote workers together, improving their social interactions and greater security.
Bandwidth is cheap vs. the costs of your organizational compromise.
Mark Webb-Johnson is the co-founder and Chief Technology Officer of Network Box. It is Mark’s technical genius that drives the cybersecurity innovation at Network Box. He and his team constantly come up with the solutions that keep Network Box ahead of the rest. Over the years, Mark has taken on numerous projects and extremely difficult technology problems, and always come up with an elegant solution. It is hardly any wonder he won the Lord Hailsham Prize for Computer Science.