Hi,
After some data leak, we need to secure our network better. What do you think about hiding internal assets behind the VPN from the inside? Employees will need to connect to VPN even from the office to access them. We use MFA for VPN.
Regards,
Lukasz
Get a firewall, look into ZTNA
Tunnels create overhead and reduce throughput. I would avoid doing anything that involves tunnels.
In Palo Alto firewalls you can use something like User-ID to create security policies that are based on the current user. You can use GlobalProtect to authenticate the user and also enforce HIP profiles that can make it so your system must meet certain criteria, e.g. up-to-date, working antivirus, etc.
Some time ago I spoke with one of IT guys from ORANGE telecom. He told me that their LAN network allows only access to internet. If you need access to widely speaking assets you have to connect to VPN. Based on our leak scenario, if we would have this implemented, it would be much harder to steal our data.
Zero trust - pick a flavor
We do this at most client sites to set All the management interfaces (like ilo, synology, firewall, backup server, vmware) behind a extra security wall and we enable mfa on it.
This prevents that a rogue laptop in the network can do harm on the backend
Horrible idea. There are other ways to secure internal resources, for example by making them available only to your company owned laptops that do certificate-based authentication (EAP-TLS) on your corporate SSID. After that you can use identity awareness in your firewall policy to further limit access to more specific resources based on user group membership.
You have everything exposed like a supermarket?!
its not even a dumb idea but there’s 50 ways of doing it. at old gig everything had access to internet and printers, if you needed to get to anything corp you’d auth to VDI with mfa and do work in there, regardless if you’re remote or in office. everything auditable, they wanted that since there was a risk of corp data being stolen by leavers.
What do you mean by “internal”?
Depends on the organisation, but I don’t think there should be a single “internal” network.
We logically group things based on some kind of common attributes. At my current org, that’s by application, region and environment.
We define what is reachable from where.
For instance, some services like reporting/app management are reachable from the public internet through a reverse proxy or something similar that’s also enforcing authn/authz.
Some services need a VPN or tunnelling of some kind (such as direct DB access).
Services like Cloudflare WARP and Tailscale are great here - we can make a bunch of this pretty much seamless (aside from the need to auth) to people with the right endpoint profile and credentials.
The tl;dr is that we’re treating anyone on the office network as barely one step above coming direct from the public internet.
How was you breached? Have you solved that issue and how? I’d be looking at micro segmentation along with SASE and ZTNA solutions.
I have implemented the same solution about 10 years ago and still follow it to this day wherever I design a network. Essentially users whether inside the organization or outside are all treated as outsiders and have to go through VPN in order to access internal resources. It also checks the box for the auditors when they ask for network access/encryption.
ZTNA which can do this needs to use an overlay network that can have the data plane (potentially control plane) locally hosted so that you do not need to route out to cloud hosted PoPs.
Been places with this implemented. It’s a good strat.
Yes but data where stolen from single server, few terabytes.
Why’s that a horrible idea?
Mentioned elsewhere here. This is the way.
As always a series of unfortunate events… Forgot technical account with ability to log to VPN without mfa, privilege escalation because of ability to edit GPO… Recipe for disaster
In the end, VPNs rely on ACLs or their equivalent depending on the platform. So why can’t you just leverage ACLs or their equivalent without the VPN?
Because employees will need to connect to VPN when they’re on the internal network. Why bother them with the hassle when there are better and more intuitive ways to achieve security.