First off, let me throw the 800lb gorilla into the room:
Most of our WFH staff is BYOD. I’m not excited about that, some of the ownership is not excited about that, but it’s where we at right now and it doesn’t look to be changing in the very near feature. Though that will still be the direction I lobby for as I’m given the chance.
Staff currently VPN via FortiClient using MFA and then RDP into either their in-office workstation or an RDS server. NO work is done on their local, BYOD machine - no CRM, no email, no nothing. It is all done on the in-office PC/Server via that RDP session. Copy/paste, printer redirect, etc is killed with GPO.
That being said, one of the suggestions being thrown at us for an added layer of security, is to require all VPN connections to our network to be full tunnel connection. We would in turn then block all traffic to their local device except traffic required for the VPN connection. For some users, we’d have to poke some holes in the tunnel for things like Zoom etc that they can’t do over the RDP session, so we’d have some fine-tuning to do.
I understand that it would be more “secure” in that we can then see and direct what traffic is being passed to/from the endpoint across our network. But I’m not *entirely* sure the effort is worth the reward?
My instinct is I can’t see what it would provide for you other than end user headaches and not a great deal in additional security. Your services are not desktop dependent and you already have controls in place for data leakage.
You might be better using something like Zscalar where you can proxy the traffic to a service that you can apply some rules on if you want better observability on what sites users are hitting while working, but you don’t have to carry it all back to your own network. You can also configure the client to exclude traffic you don’t care about.
I would advise against trying to implement full tunnel on an employee owned device. The liability if your network is involved in one of their personal accounts being hacked would make me think twice. Split tunnel and only serving your own resources over the tunnel seems sanest to me.
Since you’re on fortigate, what about using the web mode with the fortigate basically acting as the RDP broker? Then there’s nothing to install and no tunnel to deal with.
Do you want a riot? Full tunnel and a block all traffic on their own device which the company doesn’t own is definitely a bridge too far. You’re likely going to have your staff quit in mass if you do that. Frankly, asking staff to use their own device is bad enough, but adding that level of fuckery on a device they paid for will definitely be a mess you don’t want. Have you considered setting up an actual VDI environment instead? That’s essentially what you are trying to do with this anyways.
I would give them a cloud/hosted VM, make them work on that system instead of RDP to desktop and then kill the VPN on BYOD. Desktop in office would connect to VM as well.
You should be doing something like virtualized apps for RDP instead of Full Tunnel VPN and killing their internet access.
RDS, Citrix, Parallels, AWS appstream, Apache Guacamole, Kasm Workspaces would be perfect for this BYOD scenario.
All of these solutions support html5 , so they can use RDP straight from a browser and not have to install anything. Integrate it with SAML + MFA and you have a way more secure and better user experience than what you’re proposing.
well shouldn’t the traffic be generally the same amount since the only traffic that should be coming through is the RDP traffic - same as now? Maybe I’m missing something?
Yeah there’s a fine line between it being safe and not having to worry about safety since there’s no one working for you. I’d flip if I was working at home from my own machine and I couldn’t listen to music from my own damn computer while working. Just split tunnel and make sure any devices being RDP’d to have all the necessary AV and EDR.
Since you nuke internet traffic on their devices when connecting to the VPN, it’d be the same amount of traffic Split Tunnel vs Full Tunnel, except those holes you poke for Zoom etc. Those holes would be moved to your VPN so ensure you have the bandwidth to move that as well.
Perhaps focus on company owned and managed computers for your staff. No amount of VPN shennanegans will beat proper endpoint protection.
Any Trafic from the client will go through the tunnel. These are private devices, where people will have other applications.
Gotta have a pipe big enough for the simultaneous Call Of Duty updates through Steam!
Full tunnel VPN implies that all traffic including internet traffic goes through the tunnel. So if they’re watching youtube, netflix, or downloading some large file from a random site, it’ll go through your internet pipe.