Here’s a scenario:
All of your Windows devices are deployed via Azure AD Join/AutoPilot. All sign-ins hit Azure AD SSO w/MFA. All work is done on MS Platforms, and other cloud services or self hosted cloud services which auth through SSO. Everyone is remote and AD is hosted where only admins have access and only sync is used for AAD.
Do you the client devices still need some type of VPN service if there is no need to hit an internal network? Something like Nordvpn etc to access cloud services?
What would be a recommended best practice for people who wfh?
I’m pretty sure there is always a risk for compromised routers, but how much of a risk is that with HTTPS or proper client device controls/patching?
for your purpose, no, you don’t really need one.
However, NORD VPN isn’t the type of vpn you want to use if you are going to use a VPN, that is just for the paranoid who want to obfuscate where they are located in the first place, not for actual security.
Needed no.
Preferable yes.
But something like NordVPN wouldn’t really be the answer either, you want a more controlled and expansive solution that ties in across your entire security solution and endpoint control, maybe something like (iirc) Cisco Umbreĺa or one of the equivalent competition, maybe something from your your current endpoint protection provider to tie in with your current ecosystem.
Our IDS/IPS was on prem, so we piped through it. Having a big pipe helps and never noticed a slow down unless pulling a big DL. MDR agent solution is an option too
Preferable, yes. Our Azure AD/M365 environment is locked down to our public IP only (or Android/iOS devices that are MEM Compliant) through conditional access, and our VPN requires MFA and disables the user’s local gateway.
Security is all about layers. The more layers you have, the harder it is for something to be compromised. That being said, this comes down to the sensitivity of the data vs ease of use. In certain sectors, you absolutely should still use a VPN.
No telling what kind of holes someone has in their home network, Imo the more security you can throw in for WFH the better.
While not necessary, VPNs help protect data from being leaked on public and unsafe networks. Things like email or just logging into a website.
You don’t need a VPN but please, for the love of Pete, enable and lock down the local firewall on the endpoint. There are very dirty home and public networks out there that you don’t want ingress traffic reaching your endpoint.
What kind of VPN would you use, if there is no real internal network?
By that I mean there is no head office, “internal” means hosted on Azure, and everyone is remote.
We had IDS/IPS on prem at one point, but the office was closed. At some point we’ll get a new office, but we’re fully remote now, so there is no on-prem end point to connect to.
I am still trying to figure out the risk assessment for this. If someone goes to a Starbucks for example, what could happen? Can traffic be sniffed or https decrypted without compromising the client device in some way?
If the client devices is sufficiently locked down (admin privileges, patching, firewall, app locker) would only 0-Days be the main worry?
Personally, I wouldn’t bother with a VPN in your situation.
My information could be out of date, but here’s what I know / remember:
-
We are thankfully long past the days where websites were not using SSL/TLS and thus things like FireSheep existed which would allow folks on the same open WiFi network to sniff credentials out of cookies in a mass way.
-
Since most sites are TLS/SSL, the traffic can not be intercepted by normal means, but attackers are crafty. Things like EvilNginx exist that can impersonate websites pretty cleanly. I haven’t labbed EvilNginx in a long time to understand how unsuspecting clients interact with it, but I do believe it is still a viable vector. Hopefully fellow redditors can chime in.
-
Using a MiFi device is the safest option, because you never really know which WiFi network you can trust. A VPN can help in the sense that if you train your users to always connect to VPN first and to not conduct business if the VPN connection fails, you can avoid shoddy access points/networks (that generally block or attempt to block VPN connections). But how many users will actually care or follow protocol?
A VPN kill switch may be the ideal solution (if VPN doesn’t connect/can’t, then the adapter goes offline and doesn’t allow the user to shoot themselves in the foot).
- The main risk from a dirty WiFi network (outside of MITM and poisoning types of attacks), is that if the WiFi network is improperly configured and allows connections between devices on the LAN (or the attacker configured his network that way), then they can probe your device for weaknesses, vulnerabilities, open shares, etc. The hacker could be running automated Kali exploits against common vulns against every device that connects to the network. Or they could use DNS poisoning to lure a user to a website they host that attempts to deliver a drive by malware payload (thankfully activex and java in the browser is less prevalent).
It really comes down to your risk tolerance, criticality of the data that needs to be protected, etc. I’ve been in orgs where Sales were the only ones that really traveled and management didn’t take the HotSpot/WiFi threat seriously. I’ve been in other orgs where MiFi devices were strictly required.