Problem to Solve: What can we do to protect VPN connections, remote employees working @ home, and B2B links from Cybersecurity / Hacktivism?
So what happens when these happy dwarfs have their remote services impacted by Cybersecurity attack or application issue? Well … first imagine them all becoming “Grumpy dwarfs”. Then, a few new names for the dwarfs magically come to mind such as Whiney, Complainey, Angry, Costly, and Unproductivey. Grumpy and Dopey get to stay just because they are just too classic.
What are the issues that affect the happiness of the remote dwarfs?
VPN Link – (Virtual Private Network)
Obviously, the main link coming into the company will be the Internet link. VPN users usually access the VPN concentrators to authenticate, negotiate, and establish communications to company services and information. Remote workers access ERP systems, email, HR/Payroll, databases, call centers, conferencing platforms, etc. Many companies use the work-from-home “perk” to attract new talent and also keep their valuable employees productive while traveling, on sick leave, etc. Other firms are using the work-from-home concept to actually reduce the costs of traditional office space. The bottom line for a work-from-home option to be effective, is that the company’s information and services need to accessible for remote users.
So, what happens when the bad guys create a DDOS attack on your Internet link?
A service disruption affects the internal users from accessing outbound sites, but also prevents remote users from getting IN to the company VPN. See the “Protect the Network Highway” article for details, http://problemsolverblog.czekaj.org/troubleshooting/protect-highway-critical-links-hacktivism-part-2/. Also, don’t forget that many companies also leverage the VPN to create B2B (Business to Business connections) with their partners and suppliers.
Another problem set that can affect remote VPN users is when network services become unavailable. Impairments or cyber attacks against basic service enablers such as DNS or Active Directory (LDAP) will do 2 things quickly. It prevents remote users from “getting where they need to go” or even authenticating into the network itself. Network services are often taken for granted. A service disruption or attack causes significant grief for both internal and remote VPN users.
So the good news is that the remote user was able to access the VPN via the Internet. They were also able to authenticate to the network. The bad news is that they complained about not being able to get their email, ERP system or critical Powerpoint, Excel, or Word files. The first question customers typically want to know is does this issue affect only remote users, a subset of users, or is this a company wide issue?
Unified Communications (UC) Services
Many companies are deploying remote unified communications platforms and soft phones for their remote staff and call agents. This can be a dicey issue if not properly architected, as VoIP protocols will commonly use UDP for transport. For remote users, this can be particularly troubling as packet loss will often cause voice quality issues. Keeping an eye on metrics like Mean Opinion Score (MOS), packet loss and jitter can be very useful in determining a network or cyber event unfolding.
What Can You Do ?
Having a methodology for triaging these types of remote user situations will serve you well. This is what we typically recommend to keep the “dwarfs smiling, singing and happy“.
1 – Instrument Decrypted Side of the VPN link. – Install a TAP (first choice) or a SPAN port (second choice) to connect to the APM NPM instrumentation. VPN’s create and use encrypted traffic, so place the APM NPM instrumentation on the decrypted side of the VPN concentrator. This model provides full visibility into remote user traffic and applications, and latency. The approach will allow you to troubleshoot application, UC and Network service issues, as well as provide a continuous packet stream. The recorded packets can be used for Cyber attack reconstruction purposes should a remote link be compromised.
2 – Enable Anomaly Detection on the VPN link. – Use the APM NPM solution analytics capabilities to look for changes in traffic utilization, application response times, “new” traffic patterns and ports, TCP metrics, volume spikes, Transaction failures, etc. This approach can also be helpful in identifying high volumes of traffic leaving the data center such as Malware calling home or data exfiltration attempts. Using the anomaly detection capabilities to flush out issues before they affect your remote users and B2B partners increases your operational efficiency for both network and security operations.
3 – Setup Communities of Remote Users / Sites. – Create definitions that tie remote IP subnets to easily recognizable communities of users and remote sites. While an obvious configuration step, the value of this step is extreme during a triage effort that shall we say has “executive visibility”. This step provides quick triage and answers the question, “Does this affect subsets of users, just remote users, or the whole company“. Having this information will help facilitate targeting on the actual probable cause of the issue. Really savvy customers will connect these types of definitions into a CMDB, or at least into their DHCP server scopes to provide some automation to their cause.
4 – Create Dashboards for Remote User Services. – APM and NPM solutions will almost always have some dashboard functionality, as they are very easy to read and comprehend. We recommend that customers create dashboards that define various remote user locations and services. This small effort provides an excellent services view of the performance of the applications, network and Unified Communications. Secondarily, it provides a web accessible service dashboard that remote users can view and see how things are running. This helps alleviate unnecessary help desk calls and is just plain efficient.
5 – Have a Remote Triage Option. – Have a dedicated piece of remote troubleshooting hardware (PC or tablet style) that can be shipped to remote sites experiencing issues. If an issue cannot be diagnosed from the head end VPN side of the traffic, sometimes it needs to be triaged locally. Sending out a specific unit to address localized issues that addresses both wired and wireless troubleshooting will make your life easier. It sometimes is the only effective way to keep the dwarfs happy. 🙂
Points to Ponder
- Have a juicy story of remote site or user issue to share with the class?
- Have other effective options or suggestions for addressing these types of issues?
Continue on to the next article in the series, “Looking for the Unknown Anomaly”