Let's talk about an inexpensive and secure way to ensure the connection of remote employees via VPN, while not plunging the company into reputational or financial risks and without creating additional problems for the IT department and company management.
With the development of IT, it has become possible to attract remote employees to an increasing number of positions.
If earlier among remote workers there were mainly representatives of creative professions, for example, designers, copywriters, now both an accountant and a legal adviser, many representatives of other specialties can safely work from home, visiting the office only when necessary.
But in any case, it is necessary to organize work through a secure channel.
The easiest option. We set up a VPN on the server, the employee is given a login password and a VPN certificate key, as well as instructions on how to set up a VPN client on their computer. And the IT department considers its task completed.
The idea seems to be not bad, except for one thing: it should be an employee who knows how to set everything up on his own. If we are talking about a qualified developer of network applications, it is very likely that he will cope with this task.
But an accountant, artist, designer, technical writer, architect, and a host of other professions do not need to understand the intricacies of setting up a VPN. Either someone should connect to them remotely and help, or come in person and set everything up on the spot. Accordingly, if something stops working for them, for example, due to a failure in the user profile, the network client settings have been lost, then everything needs to be repeated from the beginning.
Some companies give out a laptop with software already installed and a VPN software client configured for remote work. In theory, in this case, users should not have administrator rights. Thus, two tasks are solved: employees are guaranteed to be provided with licensed software that suits their tasks, and a ready-made communication channel. At the same time, they cannot change the settings on their own, which reduces the frequency of calls to
technical support.
In some cases, this is convenient. For example, having a laptop, you can comfortably sit in a room during the day, and work quietly in the kitchen at night so as not to wake anyone up.
What is the main disadvantage? The same as the plus is a mobile device that can be carried. Users are divided into two categories: those who prefer a desktop PC because of the power and a large monitor, and those who love mobility.
The second group of users votes for laptops with both hands. Having received a corporate laptop, such employees begin to happily go to cafes, restaurants, go to nature and try to work from there. If only to work, and not just use the received device as your own computer for social networks and other entertainment.
Sooner or later, a corporate laptop is lost not only along with working information on the hard drive, but also with VPN access configured. If the “save password” checkbox is checked in the VPN client settings, then the account has gone for minutes. In situations where the loss was not immediately discovered, the support service was not immediately reported, the right employee with the right to block was not immediately found - this can turn into a big disaster.
Sometimes it helps to restrict access to information. But restricting access does not mean completely solving problems when a device is lost, it is just a way to reduce losses when data is disclosed and compromised.
You can use encryption or two-factor authentication, for example with a USB key. Outwardly, the idea looks good, now if the laptop falls into the wrong hands, its owner will have to work hard to gain access to data, including VPN access. During this time, you can block access to the corporate network. And new opportunities open up before the remote user: to screw up either a laptop, or an access key, or all at once. Formally, the level of protection has increased, but the technical support service will not be bored. In addition, for each remote worker, you will now have to purchase a kit for two-factor authentication (or encryption).
A separate sad and long story is the collection of damages for lost or damaged laptops (thrown to the floor, soaked in sweet tea, coffee, and other accidents) and lost access keys.
Among other things, a laptop contains mechanical parts, such as a keyboard, USB connectors, and a lid with a screen fastening - all this from time to time exhausts its resource, deforms, becomes loose and needs to be repaired or replaced (most often the entire laptop is replaced).
And now what? It is strictly forbidden to take the laptop out of the apartment and track
moving?
And why then did they give out a laptop?
One reason is that the laptop is easier to transfer. Let's think of something else, also compact.
You can give out not a laptop, but secure LiveUSB flash drives with a VPN connection already configured, and the user will use his computer. But here is a lottery: will the software assembly run on the user's computer or not? The problem may be in the elementary lack of the necessary drivers.
We need to figure out how to organize the connection of employees “remotely”, while it is desirable that a person does not succumb to the temptation to wander around the city with a corporate laptop, but would sit at home and work quietly without the risk of forgetting or losing the device entrusted to him somewhere.
Fixed VPN access
And what if you give out not an end device, for example, a laptop, or, moreover, not a separate USB flash drive for connection, but a network gateway with a VPN client on board?
For example, a ready-made router that includes support for various protocols, in which a VPN connection is already configured in advance. The remote employee just needs to connect their computer to it and start working.
What questions does it help solve?
- Equipment with configured access to the corporate network via VPN is not taken out of the house.
- You can connect multiple devices to one VPN channel.
We already wrote above that it is nice to be able to move around the apartment with a laptop, but it is often easier and more convenient to work with a desktop computer.
And you can connect a PC, a laptop, a smartphone, a tablet, and even an e-book to the VPN on the router - everything that supports access via Wi-Fi or wired Ethernet.
If you look at the situation more broadly, this could be, for example, a connection point for a mini-office where several people can work.
Inside such a secure segment, connected devices can exchange information, you can organize something like a file-sharing resource, while having normal Internet access, send documents for printing to an external printer, and so on.
Corporate telephony! How much in this sound, which sounds somewhere in the tube! A centralized VPN channel to multiple devices allows you to connect your smartphone via a Wi-Fi network and use IP telephony to make calls to short numbers within the corporate network.
Otherwise, you would have to call on your mobile phone or use external applications such as WhatsApp, which is not always in line with corporate security policy.
And since we are talking about security, it is worth noting one more important fact. With a hardware VPN gateway, you can increase your security by using new control features on the ingress gateway. This allows you to increase security and transfer part of the traffic protection load to the network gateway.
What solution can Zyxel offer for this case
We are considering a device that can be loaned to all employees who can and want to work remotely.
Therefore, such a device should be:
- inexpensive;
- reliable (so as not to waste money and time on repairs);
- available for purchase in retail chains;
- easy to set up (it is supposed to be used without calling specifically
trained professional).
Doesn't sound very realistic, does it?
However, such a device exists, it really exists and is free.
- Zyxel ZyWALL VPN2S
VPN2S is a VPN firewall that allows you to use a private connection
point-to-point without complex network settings.
Figure 1. Appearance of Zyxel ZyWALL VPN2S
Brief specification of the device
Hardware Features
Ports 10/100/1000 Mbps RJ-45
3 x LAN, 1 x WAN/LAN, 1 x WAN
USB ports
2 2.0 x USB
No fan
Yes
System capacity and performance
SPI Firewall Bandwidth (Mbps)
1.5 Gbps
VPN Bandwidth (Mbps)
35
The maximum number of simultaneous sessions. TCP
50000
Maximum number of concurrent IPsec VPN tunnels [5] 20
Customizable zones
Yes
IPv6 support
Yes
Maximum number of VLANs
16
Key Features of the Software
Multi-WAN Load Balance/Failover
Yes
Virtual private network (VPN)
Yes (IPSec, L2TP over IPSec, PPTP, L2TP, GRE)
VPN client
IPSec/L2TP/PPTP
Content filtering
1 year free
Firewall
Yes
VLAN/Interface Group
Yes
Bandwidth Management
Yes
Event log and monitoring
Yes
Cloud Helper
Yes
Remote control
Yes
Note. The data in the table is based on OPAL BE firmware 1.12 or higher
later version.
What VPN options are supported by ZyWALL VPN2S
Actually, from the name it is clear that the ZyWALL VPN2S device is primarily
was designed to connect remote employees and mini-branches via VPN.
- For end users, L2TP Over IPSec VPN protocol is provided.
- To connect mini-offices, connection via Site-to-Site IPSec VPN is provided.
- Also, using ZyWALL VPN2S, you can build an L2TP VPN connection with
service provider for secure Internet access.
It should be noted that this division is very conditional. For example, you can
remote point to configure a Site-to-Site IPSec VPN connection with a single
user inside the perimeter.
Of course, all this using strict VPN algorithms (IKEv2 and SHA-2).
Using Multiple WANs
For remote work, the main thing is to have a stable channel. Unfortunately, with only one
communication line even from the most reliable provider, this cannot be guaranteed.
Problems can be divided into two types:
- speed drop - this will help the Multi-WAN load balancing function for
maintaining a stable connection at the required speed; - link failure - for this, the Multi-WAN failover function is used to
ensuring fault tolerance by duplication.
What are the hardware capabilities for this:
- The fourth LAN port can be configured as an additional WAN port.
- The USB port can be used to connect a 3G/4G modem, which provides
backup channel in the form of cellular communication.
Enhance network security
As mentioned above, this is one of the main advantages of using special
centralized devices.
ZyWALL VPN2S has a SPI (Stateful Packet Inspection) firewall function to counter various types of attacks, including DoS (Denial of Service), attacks using fake IP addresses, as well as from unauthorized remote access to systems, suspicious network traffic and packets.
As an additional protection, the device has Content filtering to block user access to suspicious, dangerous and extraneous content.
Quick and easy 5-step setup with setup wizard
For quick connection setup, there is a convenient setup wizard and a graphical
interface in several languages.
Figure 2. An example of one of the setup wizard screens.
For quick and efficient management, Zyxel offers a complete package of remote administration utilities that make it easy to set up and monitor VPN2S.
The ability to duplicate settings greatly simplifies the provisioning of multiple ZyWALL VPN2S devices for transmission to remote employees.
VLAN support
Despite the fact that ZyWALL VPN2S is sharpened for remote work, it supports VLANs. This allows you to increase the security of the network, for example, if a sole proprietor's office is connected, which has guest Wi-Fi. Standard VLAN features, such as restricting broadcast domains, reducing transmitted traffic, and applying security policies, are in demand in corporate networks, but in principle, they can also be used in small businesses.
Also, VLAN support is useful for organizing a separate network, for example, for IP telephony.
The ZyWALL VPN2S device supports the IEEE 802.1Q standard to ensure VLAN operation.
Summing up
The risk of losing a mobile device with a configured VPN channel requires other solutions than giving away corporate laptops.
The use of compact and inexpensive VPN gateways makes it easy to organize the work of remote employees.
The ZyWALL VPN2S model was originally designed to connect remote employees and small offices.
Useful links
→
→
→
→
→
Source: habr.com