Saturday, March 28, 2020

Keep your company digital assets available, and safe: "Two is One and One is None"

I received a call yesterday from my insurance agent. He works for a large company; you'd know the name. He told me that when the entire company went remote, their connection to the home office dropped for about a day. This is not the first company that I've heard this about. In our haste to go quickly to remote work, many companies failed to plan for redundancies and choke points. The good thing? The fixes aren't hard:

Here are some simple things to consider as we normalize in our potential for longer-term quarantine.

When it comes to terminating VPNs at the border, think redundancy

Many companies use a Next-Generation Firewall (NGF) at the edge. NGFs are great little boxes, filled with features --traditional firewalls, routing, intrusion prevention, anti-malware and SSL and IPSec VPN Concentrators.  Here's the problem: in generic terms, if you turn on VPN and Intrusion Prevention in many of these firewalls, performance drops... fast. You could lose as much as 70% of your speed. Add in SSL Inspection, and that amazing hardware-based box comes to a screeching halt, crawling, frustrating workers and costing the company valuable productivity time. What to do about it:
  • Separate those duties into independent functions
  • Consider adding High Availability (HA) pairs to allow for failover
  • Have a backup plan if you find your current inbound bandwidth swamped
Separate those duties into independent functions. Isolate VPN Concentration from protection. Use one machine (firewall, router, VPN concentrator) to terminate VPNs at the company edge, and the NGF for edge firewalling, IPS, anti-malware, etc. You'll find that your employees will be much happier.

Consider adding High Availability (HA) pairs to allow for failover.  High availability is the
pairing of two devices together so that if one fails, the other automatically takes over. Every device that we've used has the ability to be paired in high availability mode. Why? Three nights ago we saw an ASA fail because of the heavier workload. When it finally failed, the connection simply rolled over to the second firewall, allowing remote operations to continue, almost without issue, until the first machine could be updated to the newest OS.  In the world of firewalls, two is one and one is none. If you have HA paired firewalls, if one fails, the other continues. If you only have one, your remote workers lose access to the company and productivity stops.

Have a backup plan if you find your current bandwidth is swamped.  Most companies had planned for only a fraction of their workforce to be remote --sales, executives, support, and maybe a few dedicated telecommuters. If you had 100Mb of bandwidth set aside for remote access for 10% of your company, how much bandwidth will you need when the other 90% gets quarantined? The math isn't hard. Look at what's used internally, taking into consideration actual utilization, and plan.
--------------------------------------------

TRUSTED INTERNET IS A MANAGED SECURITY SERVICES PROVIDER
We install next-generation firewalls, managed antivirus, and an anti-evasion toolkit in your home or office, and then monitor and manage them remotely, 24x7. If we see a threat, we stop it.

Contact us
800-853-6431
staysafeonline@trustedinternet.io