Remote Access, Cisco, and You: A brief guide

These are unprecedented and certainly very difficult times for people and businesses, but these are not completely uncharted times.  Many businesses have already had a focus on their employees’ working agility and a long-term vision for collaboration and productivity in disaster scenarios, such as the current office closures faced by many. 

When we think of Disaster Recovery (DR), or enacting Business Continuity Plans (BCP), we generally think of building fires, technical failures or electrical outages, but a pandemic shares many challenges with the more orthodox BCP scenarios and therefore many existing DR/BCP solutions fit well with recent events.

Right now, a quarter or more of the world’s population is under ‘lockdown’ and businesses that do not already have systems in place to enable effective/secure productivity and collaboration (either by Software-as-a-Service (SaaS) or remote access tools) are clamouring to stand-up services as best they can. 

Microsoft Teams consumption has doubled from November 2019 to March 2020, in no small part due to the COVID-19.  However, these products alone are only half the picture.  Many people still need access to their desktop ‘fat’ clients and to corporate shares on localised storage using traditional Network Attached Storage (NAS).  For some this is via virtual desktops and for others this is their laptop/desktop requiring remote access to internal resources – or even a mix of the two. 

For ease, cost and speed, it’s clear that companies are often turning to free and/or consumer grade products for remote worker productivity, which may not meet basic security requirements - never mind compliance - such as GDPR.  Businesses should be in no doubt that GDPR is as legally enforceable as it was before COVID-19, and yes, even after Brexit.  Make sure the products you are using come from a vendor with a suitable pedigree and with a proven track record for security implementation and product development.

There are so many products and solutions that it’s not possible to discuss them in a single blog.  I will focus in this instance on remote access Virtual Private Networks (VPN).  Next time I will look at cloud-based collaboration.  Some security best practice principles are understandably transferable between many remote and cloud tools – so apologies for ever sounding like a stuck record - ever.

Here are some tips, considerations and musts for meeting the security challenges of a remote access VPN solution:

• Flex the products you have where possible, if these are suitable.  Mature installations with existing end-user knowledge will offer a good basis to layer a larger and more secure solution over
• All access should use multi-factor authentication.  If you absolutely cannot support Multi-factor Authentication (MFA), then ensure you are enforcing strict user password strength.  81% of breaches involve compromised credentials
• Attempt to enforce corporate security policies end-to-end.  This can be posture checking clients for active anti-virus or using corporate web filtering and anti-malware built-in to remote access clients
• Control and audit access to selected files and folders (if possible, through an intranet or other document sharing service) and always use the Principle of Least Privilege (PoLP) for access.  This is a primary line of defence in preventing corporate data loss
• Consider if web filter implementations can also offer Cloud Access Security Broker (CASB) controls and inspection for blocking shadow IT and the uploading to websites of attachments, etc. which can act as another tier of defence in the prevention corporate data loss
• Give remote users a clear written acceptable usage policy, security policy (and user guides) and a communication channel to discuss concerns and questions
• Make sure access and process ensures secure productivity, in order to help alleviate shadow IT proliferation
• Keep users informed of security developments.  Lots of COVID-19 related malicious activity exists.  Some great general and COVID-19 related protection/awareness info is – here and here
• Audit and control access to the remote VPN.  Ensure you are allowing only the needed users and groups at only the correct times and from the expected devices.  Monitor consumption and throughput and ensure you are setting timeouts to automatically disconnect inactive users
• Use extra security focussed integrations where possible, such as enforcing web filtering, anti-malware, network access control, log capture and analytics, sandboxing and advanced threat protection
• Don’t forget that as well as the importance of following a vendor validated deployment, many products often need tweaking to ensure the best security, such as removing weak encryption levels left in place by default configurations
• Make sure user devices are configured for full disk encryption.  Arguably less important to the many people on lockdown, but this still a vital element in preventing data loss, and obviously still very relevant to the travelling key workers.  This is possible even on Windows 10 Home
• Maintain the patching of headend and endpoint devices – of course

Novosco, a CANCOM company, are a multi-vendor solution-focussed technology supplier.  As mentioned, many vendors have spun up offerings to assist business in achieving secure remote access.  Cisco are offering a suite of products with extended free trials, as well as allowing existing customers to flex their license counts to meet the dramatic rise in remote access requirements.

• New customers can get:
  • 90-day evaluations of Cisco AnyConnect remote access VPN, with a massively discounted virtual ASA to act as the headend (if needed) combined as special bundle packages.
  • Cisco Umbrella DNS Advanced (or full proxy SIG) web filter free for 90-days that can integrate and enforce with the AnyConnect client.
  • Cisco DUO multi-factor authentication free for 30 days with huge discounts on a purchase for the whole year.

• Existing customers can get until July 1^st 2020:
  • Expanded AnyConnect license count for free.
  • Unlimited DUO users for free.
  • Expanded Umbrella user count for free.

Further details from Cisco can be found here.  As a Premier Cisco Partner, we are best placed to assist and advise on how to get functionality out of these offerings, as well as a secure deployment. 

Novosco has a proven record of delivering remote access, virtual infrastructure, collaboration, continuity plans, disaster recovery and more.  We have always ensured that the vital principles of security run through all our customer solutions.  If you need assistance, then please reach out and we will be happy to offer help from our wealth of cross-vendor experience.  Always consider that good security is a multi-tiered holistic approach.  For example, email delivery is still one of the top attack vectors for cyber criminals.  Businesses must consider all angles.

Finally, some essential reading on meeting these new challenges securely can be found from the National Cyber Security Centre (NCSC) here.  Remember, these new remote working practices have inherent security blind spots.  Opportunists will try and exploit fledgling remote working solutions that are not yet securely defined.

Please keep safe, keep happy and keep indoors (where possible of course).  It could be a long summer.

- Written by Rick Hagan, Senior Technical Consultant at Novosco.