Corporate VPN for traveling VIPs on public wifi

percussed · ‎03-21-2024

Hello all,

I'm having a discussion with my boss about the need for using our AnyConnect VPN or hotspots when our VIPs are traveling and using public wireless. I was taught that all public wireless should be avoided or to use a VPN to ensure encryption. This was prior to HTTPS so there was greater risk of un-encrypted traffic. His point is that using a VPN or a personal hotspot is unnecessary since traffic is already encrypted.

We also have users in less secure countries like China that my boss is a little more receptive to forcing them to use a VPN.

Can anyone give me ammunition to make a case for VPN or hotspot use?

Thanks.

denbesten · ‎03-21-2024

We take a more stringent position. All corporate domain joined devices automatically connect to our VPN (using device credentials) when off-site. And, all Internet-bound traffic hairpins through our corporate firewalls to ensure it complies with the corporate rules. Plus, it allows group policy enforcement when off-site and logged-off, keeping the device secured to our standards.

This reduces public WiFi risk to a level with which we are generally comfortable, yet we still purchase in-built 5G for our senior leadership. We present as a way to ensure their laptops are always usable, but there is a definite side benefit in additional armor for the traffic we believe needs a bit more protection.

Yes, public WiFi is less of a risk for web browsing than it used to be, primarily due to the shift towards https. But it still results in data-leakage because one can still tell to which web sites one goes and the opportunity to block traffic remains. Plus, bad actors can still intercept and modify if users are willing to click "OK" to a simple certificate warning.

You also need to consider that PCs will still look for their domain controller, will be attempting to map drives, and doing similar that really does not belong out in the public. If someone can impersonate the DC (or to a smaller extent a network drive), it is game-over for the PC. A simple home router (or personal hotspot) filters this out, but it is visible to the other users/devices in your home as well as to the other patrons when in a coffee shop.

Fire up Wireshark sometime and be amazed at how much network traffic an idle PC generates, even if no browsers are running.

If you are investing in defensive measures for "China", why the resistance to leveraging the defenses world-wide? At its simplest, it might be worth exploring why the boss trusts the hackers in the local coffee shop more than those in a Chinese coffee shop.

Caute_cautim · ‎03-22-2024

@percussed

Using a hotspot on your phone can have some risks. One of the biggest problems with phone-based hotspots is speed. Mobile hotspots are usually significantly slower than Wi-Fi or even MiFi hotspots. Further, the Internet signal that cell phones deliver is often spotty. While running a mobile hotspot, your battery can get so hot that the heat transfers to the other components of your phone. The whole situation can potentially overheat your phone’s electronic components, which will subsequently negatively affect its performance. Additionally, the act of “free-riding” on public hotspots exposes mobile device users to potential privacy and security risks, for their private data could be exposed to hackers or business owners through various attacks, especially Man-in-the-middle attack.

A virtual private network (VPN) is essential in protecting your online security. VPNs can provide a layer of privacy and security by routing browser traffic through an encrypted tunnel. VPNs could also keep your internet service provider from knowing what sites you visited because the traffic coming to and from your computer all travels through the VPN’s servers, or servers VPNs pay to use. TLS VPNs are considered more secure than traditional IPsec VPNs because they use the same encryption protocols as HTTPS, the secure version of HTTP used for online transactions. However, it's important to note that VPN security is almost entirely dependent on the provider.

Regards

Caute_Cautim

tmekelburg1 · ‎03-22-2024

To keep it short. Your boss is assuming the remote staff are connecting to legitimate access points and the provider has the access points setup with security in mind for a guest network. Those are risks I wouldn't want to take with my corporate data but do the research on your own with what can go wrong if any of those assumptions fail. Steer the conversation towards operational and financial impact on the business to help put it into perspective.

It's just too simple to have their corporate phone setup with the hotspot feature and use AnyConnect to remote back to whatever security appliance/application you have setup. I'd also recommend using MFA with the VPN as well.

JoePete · ‎03-22-2024

@percussed wrote:
His point is that using a VPN or a personal hotspot is unnecessary since traffic is already encrypted.

A few thoughts:

HTTPS traffic is just a portion of the transmitted and received packets going in and out of the device.
I'd review the vulnerabilities associated with mixed-content and HTTP response-splitting (HTTPS is not bullet proof).
HTTPS only authenticates the server (and occasionally that fails), not the client
VPNs allow you to control the IPs allowed into certain/any resources. This can provide very useful filtering, monitoring, and auditing.
Playing off the above point, implementing a VPN isn't a heavy lift expense wise and can bear a significant return in implementing other strategies.

percussed · ‎03-26-2024

Thank you so much for thoughtful response. It's not easy pushing the security bolder up the hill when budget and ease of use get in the way, so thanks for the assist.

percussed · ‎03-26-2024

Thanks a lot for your reply.

percussed · ‎03-26-2024

Thanks so much for your reply. I agree that it's easy risk reduction strategy.

percussed · ‎03-26-2024

Thanks for the thoughtful reply. And you're right it's not a heavy lift and worth doing, especially for the VIPs.

percussed · ‎03-26-2024

Thanks for the reply. I agree, it's a simple fix for what could be an extreme risk.