Imagine you’re in Medieval times, looking up at a castle you’re charged to protect . Your goal as the Right Hand of the King and Head of Security, is to make recommendations regarding potential vulnerabilities of the kingdom and assess where to apply the limited resources you have toward its defense. You’ve been trained that, “The more hurdles you can present an intruder, the less likely they are to consider an attack”.
First you construct a wall around the kingdom. Then you place guards at the gate and archers on the tower. You clear the forest around the kingdom so that you can spot an intrusion from miles away! You send riders out on a scheduled basis to identify any potential threats. At this point, you’re confident that you’ve provided sufficient protection for the citizens of the realm.
But then you reflect on how some people are more critical to the continued existence of the empire and require added protection. So after digging a moat around the castle, you place the most skilled fighters at the doorstep of the throne room and provide the King with a team of knights to accompany him.
Congratulations! You’ve just utilized a “Defense in Depth” strategy, layering and diversifying security while prioritizing resources based on the “preciousness” of the assets.
This is Network Security 101 and a well-established strategy for administrators. But as common as this practice is, it’s equally uncommon to utilize this method with remote access. So why aren’t we choosing the correct “tool for the job”?
“He that is good with a hammer tends to think everything is a nail.”
– Abraham Maslow –
Administrators have been given a single hammer when they need and entire tool kit! Not every employee in the company needs carte blanche remote access to the network, as a matter of fact, it’s borderline irresponsible to provide that! Just as different assets are protected based on their individual value, employees should be given specific remote access based on their job requirements. For example, sales people may need to access a CRM or invoicing application, an engineer may need to remotely manage multiple PLCs and HMIs that reside in separate networks.
Moreover, a variety of tools should be implemented based on the sensitivity of the assets being protected and level of convenience needed to access them. For example, a web server in a DMZ may only call for the reverse proxy feature of the VPN Portal, while an HMI on critical infrastructure may require the Connect Switchboard. The VPN portal is less secure, but more convenient where the Connect Switchboard requires the extra step of launching the app and entering login credentials. Here’s a reference guide for the various connectivity “tools” that Endian provides.
VPN Portal: Using the reverse proxy feature of the VPN Portal, an administrator can make internal resources available using any web browser. This is considered the most convenient and least secure of all of the options, but appropriate for non-sensitive data access.
VPN Portal With Authentication: Utilizing LDAP or Active Directory authentication, admins can increase the security of reverse proxy by requiring username/password.
Roadwarrior: Issuing remote client software, a generic token and requiring username and password has been standard protocol for traditional VPN. It’s more secure than reverse proxy with authentication as it requires access to download the client and the certificate (token) while providing traffic encryption.
Roadwarrior With 2-Factor Authentication: Adding 2FA to the traditional Roadwarrior connectivity process drastically increases security. Not only is a unique certificate provided for each user, a time-sensitive One-Time-Password is generated and sent to the user’s smartphone.
Connect Switchboard: With traditional VPN, administrators are giving unfettered access to the entire network. The Connect Switchboard allows admins to provide access to very specific applications within a network, review connection history (audit) and immediately terminate all access if required. In essence, the Connect Switchboard provides granular control over user permissions within encrypted tunnels.
Connect Switchboard With 2-Factor Authentication: Adding 2FA to the Connect Switchboard adds next generation authentication with state-of-the-art control over users’ (or groups of users’) access rights.