Many of us believe that a Virtual Private Network (VPN) alone is enough of a security measure to protect users who connect at a coffee shop, hotel, or other public network. Still, it can expose your organization to threat actors who could compromise the user’s laptop and, consequently, your entire organization.

 

While VPNs have long been a staple for securing connections in coffee shops and other public networks, by integrating advanced security measures, you can fortify your organization’s defenses and stay ahead of emerging threats.

 

The goal of this article is to empower you with insights and strategies to bolster your IT team’s efforts. By equipping them with cutting-edge tools and knowledge, you can elevate your organization’s cybersecurity posture. Remember, cybersecurity is a dynamic, ever-changing domain that demands continuous adaptation and vigilance.

 

Introduction:

A VPN, a virtual private network, is designed to provide privacy of traffic across untrusted networks and through the Internet by encrypting data between the user’s device and the company network. It functions as a network connection from one point to the other. In the case of a remote access VPN, those two points are the user’s laptop and your company’s VPN terminus in your data center or elsewhere.

 

Some companies commonly allow or encourage remote users to connect via VPNs while out of the office, under the impression that the VPN alone protects remote users from security risks on a public network.

 

While a VPN can protect data in transit, it does not protect against all threats on the local network, such as those present on a Wi-Fi network at a public location. The evolving nature of cybersecurity threats means additional measures are necessary.

 

The often-overlooked risk is that when connected to a public network and using a VPN, the user’s laptop remains exposed to network sweeps, vulnerability scans, and other network attacks. VPNs still play an essential role by encrypting traffic.

 

Ideally, users should avoid connecting to public networks. If connecting to a public network is necessary, it is crucial to implement additional cybersecurity controls, such as using a properly configured physical hardware firewall, to protect against network attacks.

 

Real-World Ways Attackers Breach VPN Users on Public Networks:

Here are three notable examples of how threat actors attack workers who connect to a public network using a VPN:

 

Attacking a VPN Client via Airport Wi-Fi:

Advanced Persistent Threat (APT) groups are targeting enterprise VPN vulnerabilities. A recent example is the 2024 VPN attacks against Ivanti. For example, an employee connects to their corporate network using vulnerable VPN software at an international airport. Attackers exploit the VPN vulnerability, bypass encryption, and install malware on the employee’s laptop. This allows them to infiltrate the company’s network, stealing proprietary manufacturing processes and trade secrets, causing significant financial losses and requiring a major incident response.

 

Attacking and Breaching VPN Users on Public Library Wi-Fi:

A severe security flaw known as PrintNightmare can be exploited by threat actors against computers, even those of users connected to a VPN over a WiFi network. A typical instance is an employee of a prestigious law firm working remotely from a public library, using the corporate VPN to access internal resources. Attackers on the same network exploit the PrintNightmare vulnerability, executing malicious code on the employee’s laptop. This breach allows the attackers to move within the firm’s network, accessing confidential client information and case details. This leads to legal repercussions and reputational damage, prompting a thorough overhaul of its security practices.

 

Tech Company Infiltrated via Coffee Shop Wi-Fi:

Threat actors can utilize Mirai malware that spreads to devices on networks, including public WiFi networks, affecting users even when they are utilizing VPNs. A case in point is an employee of a tech company connecting to their office VPN from a coffee shop’s public Wi-Fi network. The network contains compromised devices infected with Mirai malware. The employee’s laptop, running outdated Windows, becomes infected. The malware uses the VPN connection to infiltrate the company’s network, leading to data theft and unauthorized access to sensitive projects. The company must enforce strict security protocols and undergo a comprehensive network data discovery and clean-up.

 

The Core Issue with VPNs on Public Networks:

VPNs play a vital role in encrypting data and maintaining privacy by encrypting data in transit. They do not fully protect you from local threats found on public networks like those in coffee shops, hotels, or airports. Complementing VPNs with additional tools, such as travel routers or cellular hotspots, as explained below, can significantly mitigate these risks.

 

Simplifying the VPN Concept:

Some think of a VPN as a tunnel through the Internet that provides a network connection. This tunnel can allow you to work as if you were connected in person at your office, but remember, the VPN provides privacy for your data but not comprehensive security for your laptop.

 

Understanding the VPN Paradox to Prevent Breaches

The common belief that a VPN alone guarantees security in a coffee shop scenario is not only incomplete – it’s potentially dangerous. Addressing this belief is crucial for your company’s cybersecurity.

 

The Danger of a False Sense of Security

When workers believe that a VPN makes them secure, they may unknowingly increase their risk by connecting to insecure networks, thinking they are safe. This false sense of security can lead to substantial cybersecurity incidents within an organization.

 

Solutions for Executives to Consider:

Two relatively simple solutions to help remote users be secure are to prevent them from connecting to the coffee shop, hotel, or other network and connect with a mobile phone or cellular hotspot. Alternatively, the user can be provided with and trained to use a properly configured small hardware firewall to help protect their laptop from the risks of the public network.

 

Addressing these challenges with your IT Team can strengthen your defenses against sophisticated cyber threats. Implementing portable hardware firewalls or alternative connectivity options can bolster users’ security as they work remotely.

 

Introduction to Ways to Help Keep Remote Users and VPNs Secure:

What follows is detailed information, described in plain English, for executives and IT Pros who want more information about the risks and how to protect remote users connecting through a remote access VPN connection. Allowing users to use a VPN on a public network could result in a breach at your organization, hence the reason for this document.

 

Actionable Steps:

This article’s purpose is to highlight the potential security enhancement provided by eliminating the incidence of users connecting to the public network or, if they do connect, using a hardware firewall to isolate them from the public network.

 

A threat actor doesn’t need to be in the coffee shop; the attacks can originate from an innocent user’s laptop that they do not realize has been compromised by a threat actor or a malicious program or service running on another computer connected to the guest network.

 

To avoid connecting to the public network, users can use their properly configured phone or a cellular hotspot to connect from the coffee shop, hotel, or other public area. Cellular networks can have security concerns, too. Fake cellular towers or insiders working at the cellular company are examples of threats, but cellular connections are arguably more secure than public WiFi networks. The benefit of this method is how quick and convenient the connection is. Drawbacks include the need for a reliable cellular signal and potentially increased recurring data charges by the cellular carrier. Additionally, if the user exceeds the carrier’s data limit for the month, the carrier might throttle (slow down) the user’s data rate for the rest of the month.

 

If the user doesn’t have access to a cellular connection, wants to avoid wireless carrier fees, or wants to connect to the public network for any other reason, they could use a portable firewall, commonly known as a travel router, to help isolate them from the risks of the public network. Useful travel routers are available for a one-time purchase for less than $100. Keep in mind that the user’s data rate will be restricted to the data rate of the public network or slower if the user uses a VPN across the public network. Public network speeds can vary greatly, as can cellular data speeds, even during different times of day.

 

It is essential to note that while travel routers and firewalls can help mitigate many risks, they must be appropriately configured to be effective. Their configuration screens can be complex, potentially leading to insecure configurations. A user with an improperly configured travel router connection is dangerous since the user might have a false sense of security. It is essential to involve your IT Team in the planning, configuring, and deploying travel routers, as well as the necessary training for users to use the devices securely.

 

Using a travel router requires additional user training for them to complete three steps. After powering on the firewall device, the laptop user must first connect their laptop to the travel router as if it were a cellular hotspot or another Wi-Fi connection. This is a relatively simple process and will likely be the same routine for the life of the travel router. Many travel routers accept wireless and wired connections. The second step is for the user to use a window in their browser to connect the travel router to the public network’s name. This step is potentially precarious due to the complexity of the configuration screen on some travel routers. Your IT Team must be involved in creating precise documentation, user training, and configuring the devices. Third, the user goes through the process of logging into the public network if the public network requires some kind of login process, such as a room number and last name at a hotel. If the user doesn’t see the hotel login screen, they can open a new tab in their browser to neverssl dot com or nossl dot com, and the hotel login screen will usually pop up.

 

Typically, the public network recognizes the firewall as if the user is connected directly from their laptop. Now, the user does their work as usual. The travel router acts as a firewall between the laptop and the potentially risky public network.  The connection process is usually speedy if the user frequents the same public hotspots. Even at a new network, if the user is trained, going through the three-step process usually takes five minutes.

 

VPNs are essential for encrypting data and protecting privacy, including the sites users visit while connected to a network. Users wishing to use a VPN to control privacy can use the VPN client on their laptop as usual. This applies whether the user uses their cellular connection or a travel router. Many travel routers include a VPN feature, too. Secure Access Service Edge (SASE), pronounced sassy, is a technology that provides a more comprehensive approach to secure access that can sometimes replace traditional remote connection strategies. Everything in this article about protecting a user’s laptop from security threats against the public network connection still applies in SASE.

 

Technologies that sound like alphabet soup and are explained below, such as IDS (Intrusion Detection System), IPS (Intrusion Prevention System), EDR (Endpoint Detection and Response), and XDR (Extended Detection and Response), can help protect the laptop against threats potentially lurking on public networks. However, attackers also obtain these protection tools. They are constantly probing for weaknesses they can exploit, so you must continue to use additional tools and techniques to protect your organization in a layered approach.  And the necessity of maintaining and monitoring those technologies can create a significant burden on your IT Team. More on that below.

 

Multi-factor Authentication is Not a Shield:

Multi-factor authentication (MFA), such as a text message or authenticator app, is an essential part of your cybersecurity strategy that you must adopt immediately if it isn’t already in use. While MFA helps secure the authentication process, it does not address network attacks or other ways that could allow an attacker to compromise the laptop. If attackers compromise the laptop, they can bypass MFA by utilizing the user’s active session. The attacker can wait for the authorized user to log in using MFA on their behalf, and then the attacker can have the same level of access as the authenticated user. The point is that MFA is an essential, if not mandatory, cybersecurity control, but it does not protect the user against network attacks on a public network.

 

 

 

For those of you familiar with my articles, you know my focus is to present cybersecurity topics in non-technical terms. The following section is more technical than usual. Consider passing this along to your IT team if they want more technical details.

 

The Technical Details to Protect Yourself and Your Organization

In the next portion of this document, we’ll explore configuring the data center’s networking environment and the remote hosts to make using a remote access VPN safer.

 

Quick Definitions Used in this Document

• Remote Access VPN: This type of VPN allows individuals to connect to their company’s network, unlike site-to-site VPNs, which connect two office locations or data centers.

 

• Unmanaged Computer: A computer not maintained by your IT professional who uses specialized knowledge and tools. These endpoints are more vulnerable.

 

• Public Network: Think coffee shops, cruise ships, resorts, hotels, airports, etc.

 

• MFA (Multi-factor Authentication): This adds a layer of security for the authentication process beyond just passwords. Examples of MFA include a text message or an authenticator app on your phone. However, MFA doesn’t shield you from threats of malicious signals on a network scanning your laptop for vulnerabilities and security misconfigurations.

 

The Core Issue with Remote Access VPNs

A significant concern with remote access VPNs is that attackers gain the same access as the remote user if a remote host is compromised.

 

Protective Strategies

Please keep reading to learn how to safeguard your network and host computers, ensuring they don’t become conduits for attackers to infiltrate your network.

 

Part 1: Fortifying User Devices Against Infection: Such as Protecting the User at the Coffee Shop

 

While a VPN doesn’t inherently secure a device on a public network, the following measures can bolster your device’s security:

 

• Fundamental Cybersecurity Controls on Endpoints: Use core cybersecurity controls for laptops. For example, regular critical security updates should be applied soon after release. To help stop attacker programs, restrict what applications can run using application control. Prevent users from installing applications by controlling their permissions or using third-party tools. Restrict enabled services to essential functions only that the user would use. Close all open ports. Follow other cybersecurity best practices.

 

• Endpoint Protection: Some organizations deploy Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) on remote users’ devices. Using Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), or Managed Detection and Response (MDR) agents on the laptops can increase security by monitoring for malicious behavior known as an indicator of compromise (IoC). EDR/XDR tools provide many benefits, including continuously monitoring network devices and watching for suspicious activities or evidence that an attacker is compromising a system. EDR/XDR is designed to identify, isolate, and mitigate threats. Response options include stopping the threat actor by shutting down processes and services or, as a more comprehensive response, quarantining the remote device until the IT Team can investigate. The thorough response would be for the IT team to erase and reload the workstation if there is any indication that the device was compromised. Some organizations use automated means of initializing workstations to facilitate this reloading process. IDS, IPS, EDR, and XDR must be effectively monitored, managed, and updated. One way many organizations ease the burden on their internal IT Teams is to utilize a third-party MSSP to perform these tasks. Managed Detection and Response (MDR) means you pay a third-party provider to manage your EDR/XDR. One key point to remember is that attackers can obtain these protection tools, too, and are always looking for ways to bypass the tools. We perform Red Team Exercises at companies to test the capabilities of the EDR and XDR protections. Do not make the common mistake of letting your guard down in other security areas after implementing EDR or XDR.

 

• Shielding from Public Networks: Equip remote users with a filtering device, such as a portable firewall or travel router, to act as an intermediary between their laptop and the public network. In some cases, these devices can establish VPN connections directly to the data center, offering an added layer of security since the laptop is shielded from the network. Proper configuration of travel routers is crucial. They should be set up to help ensure secure connections, such as using the most secure Wi-Fi security protocols, regularly updated with the latest firmware to protect against vulnerabilities, secure configuration policies, and other steps to enhance security.

 

• Alternative Connectivity: When a secure filtering device isn’t available, it is recommended that remote users connect via a cellular network to avoid the risks of public Wi-Fi. When you are disconnected from public Wi-Fi, you are also disconnected from potentially harmful devices on that network.

 

By implementing these practices, you can significantly enhance your security posture against the potential risks associated with remote VPN access.

 

Part 2: Securing Your Organization’s Network Against Compromised Users’ Laptops on a Remote Access VPN: Protecting the Organization from the User at the Coffee Shop

 

To help prevent unauthorized network access through a compromised VPN user’s device, consider these strategies:

 

• Restricted Access: Restrict VPN use to company-issued computers only. Your IT team must manage robust security measures like patch management, EDR/XDR solutions, stringent configurations, and more.

 

• Ban Personal Devices on VPN: Consider prohibiting the use of family or personal devices for VPN access. These unmanaged devices are more susceptible to malware, which can spread to your corporate network.

 

• Network and Firewall Strategies at the Data Center:

 

• Server Segmentation: Isolate RDS and file servers in separate network segments or VLANs. This approach allows for tailored security policies and mitigates the spread of potential breaches.

 

• VPN Traffic Isolation: Create a dedicated network segment for VPN traffic to act as a buffer zone, keeping incoming connections separate from the core network.

 

• Firewall Implementation: Place firewalls strategically to monitor and control traffic between the VPN and other network segments. Implement Firewall Access control Lists (ACLs, a.k.a. Firewall Rules) to define and enforce permissible traffic types, sources, and destinations between these segments.

 

• Traffic Protocol Rules: Specifically, allow only necessary protocols like RDP and file-sharing through the VPN to the designated servers, using protocol filtering and port restrictions to enforce this.

 

• Session Management: Configure firewalls to limit session numbers and durations, reducing the risk of prolonged unauthorized access.

 

• Deep Packet Inspection: Employ firewalls capable of DPI to scrutinize traffic content, ensuring it aligns with expected patterns.

 

• Vigilant Monitoring: Set up logging for all traffic passing through the firewalls and regularly review these logs for anomalies.

 

• Firewall and Infrastructure Firmware Patches and Updates: Keep firewall firmware and configurations up to date to counter emerging threats.

 

• Regular Audits: Conduct periodic audits to validate the effectiveness of your security measures.

 

Part 3: Don’t Provide an Easy Path for Attackers to Access Your Files

 

• Omitting Drive Mapping to Remote Hosts: Consider alternative solutions for file sharing rather than mapping server drives for remote VPN users. If you share a drive through the VPN and an attacker compromises a host, the attacker can access the drive. The mapping makes it easier for the attacker to encrypt or delete files on your servers.

 

• If you won’t map drives, and the remote users need direct access to the exact instances of the files local users have, strategies include:

 

• Cloud Storage: To avoid drive mapping, the files could be stored in a cloud location, from Microsoft or a third-party solution, for all users to access.

 

• File Synchronization Considerations: If cloud storage is not an option, and the files must be stored on traditional servers for local users, some form of file synchronization could be utilized to copy the files to a hosted location accessible to remote users. This would be effective if remote users only read, not edit, the files. If multiple users edit files simultaneously, data inconsistencies are likely. The synchronization would need to consider the possibility of a local user editing a file while a remote user editing a file in the shared storage environment. In this case, the synchronization process would need to know which saved version to preserve and what to do with the conflicting version. It should also alert the users that they could have lost their edits.

 

VPNs and MFA: A Misunderstood Safety Net

In my experience, some well-meaning IT professionals proclaim, “If you are in a coffee shop, you can protect yourself from the security risks if you use a VPN backed up with MFA.” This well-intentioned advice, however, needs a deeper dive to uncover the whole truth.

 

MFA and VPN Security:

Multi-factor authentication (MFA) significantly enhances security by helping ensure that only authorized users can access VPNs. However, it’s crucial to understand that while MFA helps in securing the authentication of users, MFA does not safeguard against attacks exploiting vulnerabilities on devices connected to the public network. For example, MFA cannot protect against an attacker scanning for open ports on a laptop connected to a compromised Wi-Fi network. These attacks can occur independently of the authentication process that MFA protects, highlighting the need for comprehensive endpoint security measures and robust authentication protocols.

 

To guard against a wide range of threats, organizations must implement a layered security approach that includes strong authentication measures like MFA and endpoint protection strategies. This should involve regularly patching and updating software and operating systems, closing unnecessary ports, employing host-based firewalls, and continuously monitoring suspicious activities. By addressing device-level security with authentication controls, organizations can provide a more robust defense against attackers’ diverse tactics.

 

Consider Alternative Solutions for Remote Access:

A Remote Desktop Services (RDS) gateway can allow remote users to access internal network resources without requiring a traditional VPN connection. This approach can reduce the network’s attack surface by not providing a tunnel for attackers to exploit. However, RDS gateways come with other security challenges and require robust configuration and protection. User devices using RDS still need robust security measures to help protect against potential compromises, including an attacker compromising a remote user’s laptop.

 

Similarly, allowing remote users to operate cloud-based virtual desktops, such as those provided by Windows 365, can eliminate the need for drive mappings to the remote user’s computer.

 

However, it is essential to recognize that if the remote host system—whether a cloud-based virtual desktop or a machine accessed via an RDS gateway—is compromised, an attacker may still be able to hijack a user’s session. This potential risk underscores the necessity for robust security measures, including continuous monitoring and response strategies, to quickly detect and address any such compromise.

 

 

In Conclusion:

VPNs provide significant security benefits by encrypting data, which is crucial for privacy and protection against eavesdropping. However, they should be part of a broader security strategy that includes secure endpoints and awareness of public network risks. An attacker, physically present in the coffee shop or remotely controlling another patron’s device, could exploit open ports, unpatched vulnerabilities, or other security loopholes. This is where malware, often lurking unnoticed, can exploit weaknesses on your laptop.

 

Threat actors rely on the misconception that using a VPN is the only cybersecurity control necessary to protect users on public networks. Some of the most significant cybersecurity predictions relate to threat actors attacking VPNs. Additionally, using a VPN with drive mapping is a common practice for remote work but includes significant inherent risks.

 

Bolster your organization’s security by empowering your users to avoid connecting to a public network and consider some form of securely configured cellular connection. If they connect to the public network, consider facilitating their security with a properly configured hardware firewall to help isolate their laptop from the public network.

 

Combining multiple tools and best practices is essential for a layered security approach. As always, regular user training is an essential component of keeping your organization secure.

 

Note: This document provides guidelines for enhancing remote access security through VPNs and alternative methods. It does not address the security specifics of the VPN client application or browser plugins. Readers are encouraged to follow cybersecurity best practices for those components as well.

 

 

 

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.