While I understand remote workers will need to VPN into our network for things - I am curious if other groups block VPN activity to outside locations?
When we first switched to our Fortinet firewall, we had a few users who were using VPN access to circumvent web filtering - they were personal devices so I didn’t much care - until one android phone pulled down a virus over the VPN and was connected to a windows company device. We’ve since blocked all outbound VPN access in our Fortigate.
We have one tech member on our tier 1 crew who is always (trying) to use a personal VPN on their company device. I feel like this will become an issue inside our organization soon and was curious if other companies also block outbound vpn access for users who are already on the company network?
I’ve always assumed from the security standpoint that if you’re on our network, there isn’t a need for a VPN connection or software to be actively engaged in a tunnel. If our users (esp our techs) are using a VPN tunnel - they could bypass firewall exclusions, we set for protection. Perhaps I’m being to strict and we should rely on our internal apps for catching malware or quarantining systems if they get infected by using a VPN - but so far we haven’t been given any mandate from above regarding VPN outbound access, nor any company reason to enable it for users either.
The only thing I have to add is to allow it on your guest network for visiting 3rd party workers. When we have consultants etc on-prem they often need to VPN into their work resources
Dude, this isn’t even a question, you need to be blocking that. It’s not just vpn connections, you NEED to be blocking outbound ports that are not needed for work. Frankly, you start with just tcp80/443 and then go from there, start building URL lists for rules that need something like 8443 or whatever, the list will be small enough to handle at time of need.
If you allow stuff like smb, ssh, ftp, whatever outbound to the internet unrestricted, you have HUGE low hanging fruit problems you should be focusing on. Build AD user groups for business processes that need special outbound (it will be low), and run that through your firewall rules.
And on a side note, you need to get management involved with those techs because that shit is unacceptable.
Yes of course. You are allowing people to bypass your policies if you’re not blocking it. You’re also potentially permitting malware or spyware that establishes tunnels.
I’ve come across exactly 1 use case for allowing VPN in the office, and even then we limit it very heavily. We have a team who needs to test things based on different geo-localizations, the easiest thing was to give them a NordVPN setup. And even then, if I had the time I’d build something myself… Maybe an orchestrated containerized openvpn setup that could spin up quickly in “any” public cloud region - I haven’t thought much about it tbh.
Yes, a lot of 3rd party personal VPN services can essentially be considered spyware. Not all of them keep the data private and some even log your browsing history. Many even sell your browsing data.
Rule #1 in your firewall should be “deny everything.” From there you build out what is allowed based on expected service and destinations so that only expected and allowed traffic is happening.
Setting aside the technical config aspect, and addressing AUP/internal policy aspect: Company devices only on company network, and company devices only run company issued software.
This is not your call to make per se, it is the business owner’s but they should have a discussion with you to understand they why’s behind this.
Not only do we block all VPN and VPN like access. We block any encrypted communications our firewall can’t evaluate or that is not expressly approved. Along with every kind of remote/screen sharing system expect for approved users at approved times. This blocks, SSH, encrypted DNS, nearly all screen sharing tools etc.
Segregate personal use devices from company secure network segments. (USB filtering etc. helps here)
Specifically we try to block the entire chain of compromise at various levels.
Reconnaissance (Geo blocking, blocking non used ports/services, fail to ban, log analytics)
Delivery (Blocking any exe, script or other code not expressly approved)
Exploitation (Keeping systems updated, end point security, removing unused software, services disabled etc.)
Installation (Permission restrictions, don’t run as admin, Software Restriction Polices, File server Resource Manager etc.)
Command and Control (block inbound and OUTBOUND traffic such as : DNS(that bypasses company approve DNS system), unknown traffic, traffic to Discord or X or other sites not work related or directly allowed for some reason)
Actions by threat actors (Block scripts on systems that don’t need it, filter data at the firewall using Data Loss Prevention etc.)
After all of this it should be clear that if you want security, you have to be vigilant and only allow approved communications that expressly service a business function. Personal devices attached to company resources is a huge no go zone for us.
At the end of the day, I am just a sysadmin, my job is to implement the policies my agency deems appropriate for their needs. My job in part is to convey the seriousness of a given threat and let a decision maker ultimately take responsibility for their choice. At times I disagreed and was told to do something that was not what I would like. In doing so I make sure I have a clear chain of communication with management, sometimes thats even a physical letter the manager signs that I take offsite to ensure that my actions have legal protection.
Yes, absolutely. There is no legit business reason to allow VPNs inside your network. The only thing I can think of is that you are either working with a vendor/customer and you need to connect to their VPN to access something on their network, or you have a visitor who needs to connect to their own VPN to get back to their network (and they’re already on a segregated guest network).
I’ve found that VPNs for an actual customer don’t get caught by Fortinet, but stuff like NordVPN does get caught. But even if it does block a legit VPN, you can make firewall exceptions for those manually. The default should be to block it.
Side note. Why does your level 1 person have enough privileges to install a personal VPN on their corporate device? That’s a management issue and that person should be talked to, written up and/or fired.
Not sure what type of work place it is, but if you deal with confidential data, you could argue it needs to blocked to prevent data exfiltration. But I suspect there might be other areas where you may need to cover this too…
If I am not mistaken (I’m not in charge of it), our offices are setup in a way where servers have pretty much near open access (though what they access is controlled on server level). All workstations use Zscaler and either it goes through Zscaler or it’s an IP Whitelisted application. Nothing else is permitted through the firewall and Zscaler catches the rest, which as far as I know doesn’t care about VPN connections, not that a VPN connection will work if it doesn’t go through Zscaler in the first place, which it likely doesn’t unless maybe an app was deployed (I think Zscaler has something that will work on non-browser apps, but when I was in admin we weren’t using those yet)
Do you block VPN access at your place of work for people already on your network?Do you block VPN access at your place of work for people already on your network?
My rule - block all outbound / inbound - only allow out what is required, and VPN proxies anything that could circumvent said blocks is blocked. Also, hopefully you are not allowing them to install other software on work systems like 3rd party VPN clients?
I would but it depends on the type of VPN. I would want to exempt people who have Google Fi because many of them have their VPN on all the time and don’t realize it.
This wasn’t why you were rejected. The final round loops usually answer the question, “Can I work with this person?” The other candidate(s) were just as skilled but gave a better “culture fit” vibe.