read the rest hereWe are now a solid two quarters into our new work-from-home bizarro world. Many companies found themselves in a bit of a pickle as workforces went from occasional or limited to everyone all-the-time, throwing up whatever they could provision to allow for remote access and continued productivity (or at least some semblance of it).
We're well past the emergency stage, folks. For many of us, this will be ongoing and potentially permanent. And the way we do business will have to change—including how we structure our IT operations.
This became extremely clear to me after a conversation with a friend, a line-of-business lead who has been working from home for the past few months. His company was semi-ready for remote work, having moved many employees over to Windows Terminal for desktops a while back. But he personally hadn't transitioned, because much of his work involved a database running on his corporate desktop—on Microsoft Access.
So he was connecting into his own work desktop via Microsoft Remote Desktop Protocol rather than the Terminal Server hosting everyone else's remote desktops. Fortunately, there was a virtual private network guarding his connection to the corporate network. But let's just say the performance of his Remote Desktop Protocol session on the desktop in his cubicle at corporate was sub-optimal.
His is not a unique experience. And there have been many home workers who have used even more precarious means to continue to work from home—the vulnerability search engine Shodan recorded a spike in the number of RDP servers exposed directly to the Internet in the weeks following the start of lock-downs worldwide.
In fact, a recent check found over four million RDP hosts directly exposed to the Internet—and over a million of them in the US. That's a huge pool of potential vulnerabilities, as ransomware operators have consistently targeted Internet-facing RDP in major attacks this year. These aren't, on the whole, systems running within corporate networks; over a quarter were running in cloud environments. But many of the cloud instances were likely gateways to access corporate systems.
We've passed the days long ago when organizations could completely protect themselves by only focusing on the network perimeter. But to adjust to truly distributed operations—with people working remotely as a norm—a few things are going to have to change. IT resources have to be configured to support remote work at a level that is at least comparable to that of in-office networks in terms of application performance, availability, and security. We need to turn IT architecture inside-out.
Instead of starting from an assumption of having a trusted network, organizations are going to have to figure out how to operate without trusting the network at all—what has come to be called the Zero Trust Model. For bigger companies already operating large distributed IT operations, this may mean some significant but not overwhelming changes. For smaller organizations, it's going to flip the table on how they've done IT before.
The rise of working from home en masse has accelerated the need for redefining how organizations secure their applications and data. Forget the network; the whole Internet is the network now, and every endpoint is a potential security risk. It's no longer possible to stop everything at the firewall, or protect against attacks with just anti-virus software on desktops. So it's not just an assumption that attackers are inside the network all the time. No device (or user) should be trusted just based on location to begin with, and that includes those that come into the network via VPN.
When you had a small subset of people working from home or remotely, virtual private network connections offered a way to give them access to resources on corporate systems. But VPNs—at least as most companies use them today—are not a long-term solution for the distributed workplace. Having everyone have to connect to the physical office network to get work done requires a whole new level of networking infrastructure.
And as has been demonstrated repeatedly over the past year, VPNs that don't get timely and proper software maintenance can be a very dangerous thing—the Pulse Secure and Citrix vulnerabilities that persisted for months (and, unfortunately, still exist on some companies' networks) acted as welcome mats for ransomware attacks against a number of unlucky companies even before the big work-from-home push got underway.
There are some basic steps that can be taken to make VPNs less vulnerable, and most of them are things you should have already been doing—multifactor authentication being chief among them. But there's a more important reason to adopt multifactor authentication: as part of a zero-trust friendly identity system that ties together what's inside the corporate domain with the growing portion of stuff that isn't.
Another thing that predates the current situation is the shift toward usage of more cloud-based applications—either in the form of software-as-a-service (SaaS) or as software hosted on infrastructure-as-a-service (IaaS). Even corporate data centers are moving toward a cloud model, though they've been focused inward instead of outward.
A distributed organization living free-range on the Internet requires something of an "everything-as-a-service" approach. For availability and security, cloud services are probably a lot better than having employees VPN in to save files to a network share or running apps through RDP. Putting user files in a company-approved cloud storage—and enforcing its use—is going to help deal with the issue of those applications that absolutely require a desktop application to manipulate them, as well as making collaboration at a distance a lot more practical.
If your business requirements (or your users' expectations) mandate a specific desktop experience, there's also the desktop-as-a-service approach. Services such as Microsoft's Windows Virtual Desktop and Amazon WorkSpaces allow companies to deploy a managed image to the cloud and connect back to corporate resources over a secure connection, allowing remote users to run a virtual desktop interface with strong authentication—and without the need to issue them VPN credentials. With fewer users hitting compute assets inside the corporate firewall and fewer connections to manage than you would have with everyone connecting to an in-house dedicated RDP server, it's far easier to secure. And if you push more enterprise compute into IaaS (with, say, Azure or the Amazon Web Services cloud), it gets even easier.
There are ways to make the experience of using both internally hosted and publicly hosted systems more consistent—and not require a VPN. Akamai's Intelligent Edge Platform, Wandera, and other zero-trust network access systems provide a way for companies to directly manage access to applications inside corporate firewalls without a VPN—only giving access to applications that users are explicitly given permissions for—over encrypted connections.
https://arstechnica.com/features/2020/1 ... ration-03/
If you need to setup remote, check this out
Tutorial: pfsense OpenVPN Configuration For Remote Users 2020
https://www.youtube.com/watch?v=PgielyUFGeQ