In response to the urgent need for enterprises to rapidly scale a remote workforce, many organizations instinctively turned to virtual private networks (VPNs).
This initially made some sense. After all, in many cases VPNs were already in place at many organizations. They had historically done an adequate job, mostly because they were used so infrequently and weren’t the primary method of working. But as the global pandemic forced companies to move massive numbers of staff to VPN, cybercriminals immediately began preying on the personal devices and relatively insecure consumer networks being used.
This trend is decreasing the time to productivity. Whenever a company sets up a VPN for remote users, and inevitably important decision is whether to support split tunneling. Split tunneling on a VPN is a real threat to companies having to trust more home networks and deal with bandwidth concerns. This impacts two major elements of an enterprise’s work-from-home effort: Security and productivity.
Security must be your No.1 priority
If you split the tunnel, you’re going to reduce the overall bandwidth impact on your VPN concentrator. Only traffic that needs to come over the VPN will do so, meaning user activities that aren’t work-related won’t consume enterprise bandwidth. Plus, anything external to your network that’s latency-sensitive won’t suffer from the additional latency of tunneling everything over the VPN to the corporate network, then back to the Internet, along with return traffic.. Users get the best network performance, and the company consumes less bandwidth.
If that all sounds great, keep in mind it comes with a rather large caveat: If security is supposed to monitor all network traffic, or even just filter traffic to protect users from malware and other Internet threats, users who are split tunneling won’t get this protection. That’s because security won’t be able to monitor traffic for threats or inappropriate activity.
One well-known yet dangerous security threat that VPNs are ill-equipped to handle is Man in the Middle (MITM) attacks. These attacks involve cybercrooks positioning themselves in a dialogue between an application and a user. Because users on open networks – such as hotel wireless or hotspots – transmit much of their traffic in the clear, traffic to websites using HTTPS will be protected but other traffic will not.
For the sake of argument, let’s say your Vice President (VP) connects an L2TP/IPSec(VPN) session into the company network, then receives a message about free toilet paper from a phishing website. Instead of dropping the secure session and browsing the website, the session stays connected. Once the web browser is opened, the VP uses HTTP on TCP port 80, which has been left unsecured thanks to an ongoing MITM attack. This means that while the web browser is open, the originator of the MITM attack can easily access our VP’s desktop.
How Fortnite and other high-bandwidth entertainment is slowing WFH productivity
Split tunneling isn’t just a security concern, however. It can also have major implications on productivity.
A large remote workforce often consumes significant bandwidth if the tunnel isn’t split. Frequent loss of data transfer speed/ability can come from an overload of user traffic so that one minute we're surfing the web and the next everything just stops – often because someone else forgot to disconnect the VPN while playing Fortnite or Call of Duty. This means that although you can access websites, things seem to load very slowly.
You’ll also experience interrupted connections, meaning some websites just won't load at all. And it’s not just about video games, of course: streaming audio and video and real-time applications each add additional latency that could be the difference between functional and broken.
A more effective solution to defend against MITM attacks when you must enable split tunneling is a Tehama Internet -Only Room. VPN clients inside a Tehama Room reduce their attack surface compared to VPNs on a home PC. A Tehama Room includes always-on security for both network access and web traffic. This offers a dependable security framework by encrypting all traffic from the user device through a virtual desktop, whether it’s going to a data center, the cloud, or the web. Installing your VPN into the desktop allows you to micro-segment enterprise network access inside the virtual desktop. This has benefits for both the enterprise and end-user: All data center-destined traffic goes over the VPN, while you can control internet traffic on the desktop for faster bandwidth in the room (up to 1 Gbps), reducing stress on home networks. Personal devices don’t need to be included inside the enterprise perimeter, and video calls or other high-bandwidth activities can happen outside the corporate VPN on the local desktop.
A perfect storm of network demand – solved
Enterprises that already had remote work solutions have still suddenly had to ramp up user licensing and infrastructure to meet today’s unprecedented demand. This has caused a perfect storm of enterprises needing resources to implement these technologies, along with technology companies having to either ship this infrastructure or provision additional bandwidth. This is of the highest order of magnitude because we’re all trying to support an incredibly fragile economy during this pandemic. Many governments have even relaxed regulations on data protection on PII such as health or PCI information to increase time to productivity.
Tehama Rooms, however, are built around a zero-trust architecture that provides each user with a unique, fixed identity for one-to-one desktop connections. These desktops are dynamically provisioned and on-demand. Access is impossible unless explicitly granted, and any access granted is continually verified at the packet level. With VPNs less able to protect IT resources and applications during this pandemic, Tehama Rooms are emerging as the superior alternative or augmentation to traditional VPNs.
By allowing organizations to standardize remote access security for all users while reducing the risk of potential attacks, Tehama’s virtual office technology offers a compelling new way to achieve secure remote access.
We have an upcoming webinar that will explore how business today are using the right technology to transform and sustain a virtual workforce.
Here are the details:
Presented by Tehama and Teradici
Sustaining a Virtual Workplace of the Future
How organizations are transforming to sustain work from home technology indefinitely
Monday, April 27 at 2 pm ET.
Host: Gene Villeneuve, CRO, Tehama
Paul Austin, Director Global Channels, Teradici
Aaron Spradlin, Co-Founder and Chief Visionary Officer, cleverDome
Dane Young, Entrepreneur/Strategist/Consultant, YOUNGTECH
Jaymes Davis, Director of Product Strategy, Tehama