What are the main justifications to make this a security requirement?
From what I can tell, the justification is to prevent data from being transferred from your internal VPN network to external networks.
Wouldn’t you need more than just full tunnel VPN to enforce that (always on VPN, DLP, web proxy etc.)? Otherwise, the data could still be transferred externally through the VPN or else save the data locally and then transfer it over external networks after disconnecting from the VPN.
The firewall/security appliance can perform MITM inspection & filtering of TLS traffic using a proxy certificate trusted by your endpoints, just as though they were in the office.
Lots of possible justifications that depend on what your trying to protect against.
It’s a more secure configuration as you can see all of the traffic that an endpoint is passing rather than only the addressed traffic. You could see communication to C&C servers for example. It’s an endpoint security enhancement by onboarding all network traffic.
It isn’t a single solution to DLP but it can help to some degree. That’s not why I would implement it though, frankly nothing is.
With modern EDR tools this is less important then it was a long time ago because you are already doing network inspection at the device level rather than only at the firewall.
Wouldn’t you need more than just full tunnel VPN to enforce that
The threat is when the device is able to communicate with other on-prem resources.
And to answer the second part of that, always on VPNs are a thing. There is also conditional access and DLP technologies to deny access to cloud resources when a computer is not on the VPN.
If you want to see all the traffic all the time, then the VPN would need to be connected all the time. In this case, I’m referring to full tunnel VPN with on demand VPN connections.
Then you have the issue of so many services that either have degraded performance (like teleconferencing, VOIP etc.) or are not supported at all through full tunnel VPN.
What about having a large number of remote laptops pulling their monthly Windows Cumulative Updates through your VPN infrastructure wasting your bandwidth and giving everyone on the WAN connection a poor experience?
I meant the value of full tunnel on demand VPN isolated without any other mitigation such as always on VPN or DLP.
To be clear, I’m not arguing for or against full tunnel VPN. What I’m saying is that it depends on what your threat vectors you are trying to defend against.
You haven’t indicated that, so there’s no specific element for or against here.
Degradation of performance (increase in latency) and bandwidth considerations are of course the two primary downsides to using it.
The benefit in this regard would be that you’re seeing all communication from the connected machine. If you start seeing traffic to C2C resources or other malicious activity you can programmatically kill the connection to the device in question.
The validity of any configuration should be a Pro/Con consideration, with your actually business requirements driving the discussion.
You were saying an EDR solution can also be used to monitor/block where the traffic is going without actually tunneling the traffic through a VPN tunnel?
I guess the other option would a split tunnel where you name where the devices are able to go outside of the tunnel (such as Windows Update, Teams/Zoom, your VOIP service etc.) instead of just naming where they can go inside the tunnel and allowing everything outside the tunnel.
No C2C would be accessible and you aren’t ruining pre-approved latency-sensitive services and overloading your WAN bandwidth.
Yes, that’s a normal EDR function.
SentinelOne, Defender for Endpoint etc. all have DNS level, activity level and service level detection baked in just like your firewall does.
Useful since they actually see the decrypted values of pages without having to resort to MITM methods.
Ok, so an EDR like the ones you listed (I assume others like Qualys EDR too) can provide all the same benefits of full tunnel VPN without the downsides of full tunnel VPN?
So, there should never need to be a scenario where you need both the EDR enabled and full tunnel VPN enforced at the same time.
I wouldn’t put it that way.
You aren’t getting the netflow visibility and logging information using an EDR tool to mitigate your risk.
As I said before, it depend on what problems you are trying to solve as to whether full tunnel is required.
A ZTNA or SASE solution is superior in pretty much every way but that requires quite a bit more work.
Cloud proxy, Cisco Umbrella etc.?
ZTNA like cloudflare, fortinet, Palo alto etc.