I work for a small to mid size company. I am wondering what is the best way to address users using third party VPN services on their endpoint devices(laptops and mobiles)? The endpoints are company owned devices.
As our company is growing, I want to understand how is it handled at mid to large organizations. Do you have a written policy that will stop users or are you using DNS filtering to block VPN services? Even if you block VPN services on the company’s network, how are you addressing it when the users are not onsite?
My main concern is users are bypassing many security controls(like content filtering, geo based restrictions) using brower VPN like hola.
Well to start off with, most VPN desktop software requires administrative privileges to install. We don’t give users those privileges. We also don’t permit them privileges to set up VPN types natively supported by the OS, regular users cannot edit network settings.
We also do not permit users to install browser extensions by policy. They would be unable to install the extension you mentioned either.
We also do not permit outbound traffic to just any old destination over any old protocol. If the VPN uses a protocol other than HTTPS such as OpenVPN, L2TP, Wiregurard, etc, then it won’t be permitted out through the firewall. If the VPN tunnels over SSL, our web firewall that does TLS man in the middle will pick up the HTTPS destination as allowed, blocked, or uncategorized (default blocked).
There should be little way for your users to have an unauthorized VPN unless they get very creative on a well secured endpoint.
This is a management/HR/legal question largely. You need buy in from the leadership of the company to have a policy that it’s not allowed, and they need to have real consequences in the policy (IE: escalating penalties up to termination if it keeps happening)
In terms of technical methods, first users shouldn’t have local admin rights. Second, you should have some kind of management tool that can report software that gets installed and then look for endpoints that get a VPN client. Filtering on the network side is a little more difficult especially if you’re looking to block people doing this while outside the office
Get with HR, management, anyone at the top to standardize a VPN solution on company owned devices, take away uses ability to install their own software.
Absolutely have them sign a written network usage policy that states they are only allowed company approved apps to be installed and approved by IT. If they break the policy they will be dealt with by upper management.
As others have said, corporate devices should have the corporate VPN solution only. A y concerns around privacy and security are fulfilled by a corporate VPN client.
BYOD devices are another matter, and a source of stress for me. I am fighting to get conditional access policies configured to take in to account personal VPN usage on BYOD devices to ensure that those devices need to be hybrid joined before allowing ANY access to corporate data, and the device must also be ‘healthy’
What lynx said. No user needs local admin. Period. Manage the workstations to allow only pre approved software. User installed VPN services? Not a chance. That is all your IP walking out the door with you holding it open.
You will be the second most hated group at work. The first place belongs to the auditors. My motto “I came to work to make money not friends”. Will do you in good stead as you get booed at every zoom call or in person meeting .
Cyber security is paramount now. Access of least privilege for all users.
I disagree with the finality of “No user needs local admin.” Probably not standing local admin, but at least JIT or a way to elevate to local admin is absolutely required for some users like software developers or endpoint engineers.
Agreed there is always an exception to the rule. The developers are all in an isolated environment that is not able to initiate any calls to production. Admin level access is JIT. Any software is handed off to the software team and is installed from the software centre.
Heavily regulated industry and audits are an ongoing exercise with internal and external. Regulations seem to become more intrusive each review.
.