Lessons from securing a remote workforce

By on 2 Apr 2020

Category: Community

Tags: , , ,

Blog home

Like many of you who have been directed to self-isolate amid the COVID-19 pandemic, APNIC staff are working from their homes to reduce the spread of the virus here in Brisbane, Australia.

Read: APNIC and COVID-19

Because it’s not uncommon for our staff to work remotely, whether it be from home or when travelling, our infrastructure and systems teams have spent years troubleshooting the associated security challenges that you and/or your enterprise might be starting to realize in your own remote working experience.

And because the security of the Internet is everyone’s responsibility, just like mitigating the spread of a certain virus, we thought we’d share some of the lessons we’ve learnt along the way to make sure your network isn’t compromised.

If you haven’t already, set up a VPN

A Virtual Private Network (VPN) with remote desktop access is one of the quickest, easiest and (relatively) safest methods that any enterprise or individual can use to create a secure connection to on-premise services and devices.

Such a setup ensures that VPN clients do not gain access to the full network, while the remote desktop ensures control over access and applications — especially useful if staff are using personal home computers to access the VPN, where you may not have control over the security of the computer.

A longer-term solution is to move to user-authentication as opposed to network authentication. This means that fewer users will need to use a VPN, reducing the need for high-bandwidth VPNs to support many concurrent connections.

User authentication is the premise behind using cloud-based services such as Office 365 and G Suite. As always, careful configuration and security testing of these web services is important before you implement such applications, as they are typically exposed to the public Internet.

VPNs, IPv6 and NATs, oh my!

Staying on the topic of VPNs, there are some common issues that you should be aware of — especially when dealing with home and mobile connectivity — relating to IPv6 and Network Address Translation (NAT).

With regard to the former, make sure your VPN clients and servers/concentrators are configured properly for both IPv4 and IPv6. Even if you don’t think you are using IPv6, you need to make sure it’s configured properly (or turned off) to prevent any accidental leaks of connections. Examples of these misconfigurations may allow:

  • Remote users to send IPv6 traffic outside of the encrypted VPN. 
  • Traffic to reach the VPN server but then exit the corporate network without going through appropriate filters or monitoring.
  • Malicious attack traffic to hit the public interface of your VPN server without filtering or monitoring.

NATs are notorious for introducing issues that we don’t like. And given that many homes and mobile devices are most likely connecting to the Internet using NAT, you’re bound to come across this with staff working from home. For this reason, it is good practice to use a public IP pool for VPN access.

Secure storage of data and credentials

Returning to cloud-based applications, if you’re using these in your enterprise you should be using a multi-factor authentication method to secure their accessibility.

Quick tip: Skype is ‘double cone NAT capable’ which means it can punch through two (or more) users who both lie behind a NAT. This can be important when having to do a conference call with multiple people who are working from home where it isn’t unusual to stack two Wi-Fi devices and wind up a NAT inside a NAT.

This can be a tedious practice when your using multiple apps daily, which is why it’s worth also looking at an integrated cloud identity solution with Single Sign On (SSO) functionality. This will make things seamless — which is what remote workers want — and the best part is that is that it places a layer of security over the user themselves, regardless what network or device they operate off.

Finally, you may have recently discovered and started playing with a host of cool cloud-based collaborative tools. While it’s always worth assessing what’s on in the market, and how they align with your and your organization’s needs, it is important that an enterprise uses as few collaboration tools as possible, to make sure everyone has access to them and is using them consistently.

For more tips check out these handy working-from-home security tips from our friends at the Internet Society and Rule11.

Stay safe! 

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *