Within a few days, in the spring of 2020, a huge upheaval took place in the workplace. Instead of face-to-face meetings, access to local networks, and informal chats during breaks, employees now started to spend all of their working hours videoconferencing, using home WiFi networks, and trying different ways to keep in touch with colleagues without seeing them in person .
Since many employees currently access company resources frequently from outside their office location, the virtual private network (VPN) has become the central connection point for most employees in a company. However, those with an overview of the threat landscape are concerned about the increased risk of attack for companies and the availability of their services.
Because regardless of the motivation, an attacker will focus on the services that are most important to an organization at any given time.
While a single organization cannot combat the root causes of these attacks on its own, it can prepare for attacks against its online services. There are a number of steps any business can take to protect against cyberattacks:
- Rethink what needs to be behind the VPN – Wherever possible, leverage well-established SaaS-based services for productivity and collaboration tools. This strengthens the independence from the VPN right from the start.
- Establish policies and acceptable use – Employees should be prevented from doing personal chores on their corporate devices and traversing the VPN. This is critical to avoid additional costs and the risk of the network becoming a target.
- Conducting tabletop exercises to understand the DDoS perspective – It is imperative to have a good command on responding to a DDoS attack and follow best practices with dedicated equipment and a managed service rather than relying on luck and noticing an attack until it’s well advanced.
Top 10 VPN Performance and Security Tips
Due to the popularity of remote work, VPN gateways are considered an important lifeline for companies to enable employees to access relevant business applications. But today, the strategy for building a robust VPN infrastructure must go well beyond adding VPN capacity and internet connection bandwidth to mitigate the impact of high demand on performance. Rather, IT teams must be able to quickly analyze resource consumption, prioritize essential services, and quickly identify and resolve performance issues.
1. Installation of bandwidth and throughput quotas
The IT department should establish guidelines for managing remote access, starting with reasonable quotas for bandwidth and throughput per session. Termination capacity, bandwidth and throughput should be scalable as needed.
2. Communicating and Enforcing Acceptable Use Policies
Many office productivity applications do not require VPNs. Applications such as online games and video streaming platforms are definitely prohibited. Split tunnel VPNs, which route all Internet traffic over local home networks , can be effective alternatives.
3. Use of customized access controls
Implementing the VPN concentrator-specific access controls is essential as, for example, a generic SSL/ TLS -based VPN concentrator will have different network policies than an IPSEC -based remote access VPN concentrator.
4. Regionalized Remote Access Infrastructure
For organizations with geographically dispersed employees, a regionalized remote access network infrastructure helps spread the load on the Internet and intranet while providing increased resilience against attacks or other potential service disruptions.
5. Network traffic analysis
Network visibility tools, implemented within the publicly exposed network infrastructure, provide both holistic and granular data that help teams accurately diagnose problems, better allocate bandwidth, and build specific services to mitigate problems.
6. Built-in protection
Large Software-as-a-Service (SaaS) providers often already have DDoS protection in place to maintain the availability of their services. Therefore, the continuous use of SaaS-based services for everyday business applications, content sharing, collaboration and communication is a good idea.
7. Use of Best Current Practices (BCPs)
Implementing BCPs for network infrastructure, servers, and services such as DNS is key to increasing protection against attacks. This requires the use of intelligent DDoS defense systems to protect all publicly accessible servers, services, applications, data and support infrastructures from DDoS attacks.
8. Use of dedicated internet transit connections for VPNs
Using links that are not connected to components such as DNS servers and public-facing websites reduces the likelihood that DDoS attacks will prevent the IT department responsible for remote security from intervening.
9. Remote Access Integration
Remote access mechanisms should integrate with the organization’s authentication, authorization, and billing systems and require the use of multi-factor authentication (MFA) technologies for user access.
10. DNS Naming
Many attackers do their homework before launching targeted DDoS attacks, so using the string “vpn” in DNS resource records for VPN concentrators is like making their job any easier. Instead, opt for a DNS naming convention that provides useful information to operations personnel while keeping attackers in the dark about key functional areas.
