VPN, Remote Desktop, Third Party Tools - Myths, Half Truths and more
There is a lot of information flying around on work from home, lots of it conflicting:
VPNs are not enough!
Only use VPN for remote access!
Never use remote desktop
Home computer/bring-your-own-device is never safe!
BYOD is easy
Only use third party remote access tools
etc
Like everything else in IT, the truth lies somewhere in between. We’d like to clarify a few things and make some recommendations to help you make a smart, safe decision.
Must haves:
Multifactor authentication (MFA) is a must. For any remote access, you should always/regularly have to use a second factor (like an app on your phone) to verify access. Google shows that a proper MFA setup stops 100% of automated attacks (this is the reason we include MFA software and require its use with our IT service plans).
We highly recommend taking MFA one step further and implementing a zero trust model. At Clear Guidance, from the time we sit down at our computer until we are logged into a client’s server requires 3x MFA verifications, all from different sources (to login to the workstation, to access the remote session/logins, and then finally on the client’s own network).
Modern software, encryption protocols and security. This means no Windows XP or 7 for example. Using outdated technology exposes you to lots of security flaws, and no additional layer of security can protect it 100%.
A note on personal VPNs: we are skeptical that these bring any benefits that are worth the trade-offs, but they especially should not be used when accessing company resources. The main reason being is that it can create large delays or connectivity issues. The business should have appropriate security safeguards in place that something like this (even in theory) is unneeded.
OK now on to the different remote access tech:
Company VPN
Pros: when properly setup, this is typically the most secure of all. Able to really lock down access.
Cons: typically slower, and can disconnect frequently on poor quality connections. Microsoft includes secure VPN software with Windows Server, but it is very basic on features. More powerful VPN software is typically more expensive than other solutions on this list.
Gotchas: one popular method of access is VPN then remote desktop to a company computer/server. VPN can leave a network wide open for access, make sure yours is restricting access to only the devices and services a user needs to access.
Older or out of date VPN technology (such as PPTP or out of date OpenVPN/pfsense) can be very insecure.
Remote Desktop - direct and via Gateway (RDGW)
Pros: works easily from most any device (laptop, desktop, iPad, etc.) By far the fastest performing technology on this list.
Cons: very easy to setup incorrectly. If you using remote desktop, it should always be secured via VPN or a gateway (RDGW). Direct remote desktop from the internet is one of the biggest security holes you can have, even if its only locked down to certain IPs.
Gotchas: if there are users accessing from personal machines, we highly recommend using a gateway. There are policies that allow you to block the clipboard, printing and other technology that could result in data leaving the company.
Third Party access tools (GoToMyPC, Teamviewer, etc.)
Pros: easy to setup, most of these are simplified that they require minimal IT involvement.
Cons: Many are hard to centrally manage due to the fact they can be/are setup individually. CGP actually blocks many of these tools on our client firewalls due this reason. Additionally, the security record of many are questionable, possibly due to the attention they get. Do thorough research before deploying them (search the product name plus ‘breach’ as one key step), and especially be wary of the free versions, there are often big shortcomings.
How does CGP recommend setting up clients?
As part of our monthly service plan, we include one of the most secure firewalls available (Fortinet) and VPN licenses for all users. We deploy as many users on laptops as possible, and they get VPN access. Anyone with desktops at the office connects through a properly locked down RDGW. In the event that more security is needed, we will require a VPN connection before accessing RDGW.
We are still getting calls daily from companies having issues with remote access and are ready to help. Contact us today!