Like many of you who have been directed to self-isolate amid the COVID-19 pandemic, APNIC staff are working from their homes to reduce the spread of the virus here in Brisbane, Australia.
Read: APNIC and COVID-19
Because it’s not uncommon for our staff to work remotely, whether it be from home or when travelling, our infrastructure and systems teams have spent years troubleshooting the associated security challenges that you and/or your enterprise might be starting to realize in your own remote working experience.
And because the security of the Internet is everyone’s responsibility, just like mitigating the spread of a certain virus, we thought we’d share some of the lessons we’ve learnt along the way to make sure your network isn’t compromised.
If you haven’t already, set up a VPN
A Virtual Private Network (VPN) with remote desktop access is one of the quickest, easiest and (relatively) safest methods that any enterprise or individual can use to create a secure connection to on-premise services and devices.
Such a setup ensures that VPN clients do not gain access to the full network, while the remote desktop ensures control over access and applications — especially useful if staff are using personal home computers to access the VPN, where you may not have control over the security of the computer.
A longer-term solution is to move to user-authentication as opposed to network authentication. This means that fewer users will need to use a VPN, reducing the need for high-bandwidth VPNs to support many concurrent connections.
User authentication is the premise behind using cloud-based services such as Office 365 and G Suite. As always, careful configuration and security testing of these web services is important before you implement such applications, as they are typically exposed to the public Internet.
VPNs, IPv6 and NATs, oh my!
Staying on the topic of VPNs, there are some common issues that you should be aware of — especially when dealing with home and mobile connectivity — relating to IPv6 and Network Address Translation (NAT).
With regard to the former, make sure your VPN clients and servers/concentrators are configured properly for both IPv4 and IPv6. Even if you don’t think you are using IPv6, you need to make sure it’s configured properly (or turned off) to prevent any accidental leaks of connections. Examples of these misconfigurations may allow:
- Remote users to send IPv6 traffic outside of the encrypted VPN.
- Traffic to reach the VPN server but then exit the corporate network without going through appropriate filters or monitoring.
- Malicious attack traffic to hit the public interface of your VPN server without filtering or monitoring.
NATs are notorious for introducing issues that we don’t like. And given that many homes and mobile devices are most likely connecting to the Internet using NAT, you’re bound to come across this with staff working from home. For this reason, it is good practice to use a public IP pool for VPN access.
Secure storage of data and credentials
Returning to cloud-based applications, if you’re using these in your enterprise you should be using a multi-factor authentication method to secure their accessibility.
This can be a tedious practice when your using multiple apps daily, which is why it’s worth also looking at an integrated cloud identity solution with Single Sign On (SSO) functionality. This will make things seamless — which is what remote workers want — and the best part is that is that it places a layer of security over the user themselves, regardless what network or device they operate off.
Finally, you may have recently discovered and started playing with a host of cool cloud-based collaborative tools. While it’s always worth assessing what’s on in the market, and how they align with your and your organization’s needs, it is important that an enterprise uses as few collaboration tools as possible, to make sure everyone has access to them and is using them consistently.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.