List

A technical view of the options for organizations where remote worker needs to work. How you need to think about the role of VPNs and SBCs.

Work From Home (WFH) will be the new normal on the other side of Covid-19, not because the pandemic would recur but because of the huge cost savings it brings to many organizations. Already, many organizations with offices in major metropolitan cities like Mumbai, Delhi, Bangalore, Chennai, Pune etc., where real estate is expensive or getting expensive, are evaluating the benefits and cost saving of remote working.

Remote Working Considerations

Covid-19 has changed how we look at the office and remote working.

As part of its earnings announcement for the end of FY20, Tata Consultancy Services (TCS) made a revelation that in the future, it believes that it doesn’t need to have more than 25% of its workforce at its offices to have 100% productivity. This would mean that 75% of TCS’ workforce could be working from home by 2025.
(Taken from a article published in the newspaper)

While there are many remote worker policy considerations, the most important of a successful remote worker program is collaboration. It is the ability to collaborate with co-workers and customers securely, safely, effectively and without compromising corporate policies with secure collaboration tools

The Session Initiation Protocol or SIP is the underlying foundation of voice, video, voicemail, chat applications. It is a clear text protocol and is vulnerable to attacks. A bad actor, whether internal or external, could commit toll fraud or hijack a conference call to steal or a prankster could break in for vicarious pleasure. Regardless, preempting embarrassments with proper collaboration security housekeeping and maintaining good collaboration hygiene is essential.

Another 3-letter word that complements SIP is SBC. A Session Border Controller, which is a fancy name for a SIP firewall, also includes a SIP stack and other SIP functionality. The SBC terminates SIP sessions from users – remote or otherwise. It is deployed on the network edge and is public facing. Bad guys target the SBC first to gain access to enterprises’ private networks. Therefore, securing the SBC is vital.

A remote worker would typically use a VPN client to access corporate resources. It could be configured to support split tunnel, which means the VPN client forks traffic in two directions – SIP goes over the top (internet) and corporate traffic over the VPN tunnel. Alternatively, the remote workers VPN client can be configured to direct all traffic via VPN to the corporate network. That is, split tunnel is disabled. While it may be a viable and secure model, it can load the corporate network traffic appreciably. This is covered in more detail in subsequent sections.

Now that the network access is ready, it is important to ensure that the remote workers’ SIP client supports TLS 1.2 (Transport layer Security) for SIP signaling and sRTP (Secure Real Time Protocol) for media. Examples of SIP clients are Webex, Zoom desktop or mobile applications.

The rest of this article addresses remote working considerations using representative collaboration deployments. It highlights networking and security issues for each deployment model

Use Case 1: On-Premise Collaboration

In the pre-COVID world, most enterprises deployed EVERYTHING including their collaboration suite on-premise. For example, they’d have PBX for voice, voicemail and Chat Server for instant messaging, and Webex Meeting Server for video conferencing. All on-premise deployments were managed corporate IT. They’d be responsible for overall security including collaboration (SIP) security.

The only way for a remote worker to access corporate resources is via VPN, using a pre-authorized corporate device like a laptop or a mobile phone (see illustration above). A variation might be that signaling for collaboration and all corporate apps would be on VDI, while media goes via SBC. VPN client ‘split-tunneling’ would be sacrilege and therefore not typically allowed.

This model was deliberately designed to be restrictive and overbearing. In the pre-COVID days, for example, only a salesperson on the road would be authorized to access the corporate network; the rest were expected to work on the corporate campus — using the corporate intranet.

COVID-19 has rendered this model unwieldy for remote workers. It is expensive, unscalable, and untenable on several fronts, where:

  • Corporate IT has to deploy and up their VPN capacity manifold to meet the remote worker demands. After that they have to care and feed the new VPN service to ensure no loss in worker productivity.
  • Corporate security teams have a daunting task of ensuring that corporate resources are safe and secure with the sudden assault from “outsiders”.
  • Corporate finance is stung by the mounting CAPEX and OPEX expenditure for the new in-house remote access gear.
  • Corporate legal is scrambling to reevaluate policies and procedure for remote access.
  • And lastly, the poor remote worker has to adapt to the new post COVID-19 work model but pretend nothing changed.

While VPN tends to be the default technology for remote worker access, it is not a good choice for collaboration (SIP). Consider that SIP over VPN is akin to encapsulating protocols within protocols with layers of encryption. When this VPN onion is unpeeled and decrypted protocol by protocol and layer by layer to retrieve the SIP packet, you’d have inevitably reintroduced QOS/jitter/latency to the real time communication; user experience and worker productivity suffer. This is exactly why split-VPN can be a good idea — take the voice and real time traffic over SBC while leaving corporate apps on VPN.

Use Case 2: Single-Cloud Collab Vendor (e.g. Webex/Zoom/Microsoft)

This is a straightforward win-win deployment model. The enterprise and the collaboration cloud are directly connected via a private network such as SD-WAN, VPN or MPLS technologies. The remote worker uses a split tunnel VPN client to access the collaboration cloud and corporate resources. To the campus worker this model is largely transparent albeit with a better cloud collaboration user experience.

Corporate IT should be rest assured that collaboration cloud providers leverage tools like Assertion’s CollabSecure to prevent toll frauds, phishing etc. in near real time

In conclusion, this model is secure, cost effective, scalable and excellent for remote work productivity and user experience.

Use Case 3: Multi-Cloud Collab Vendor

This model uses the best of breed collaboration cloud providers. For example, Zoom for conferencing, RingCentral for Voice and Slack for team chat. The Enterprise and the collaboration cloud providers are directly connected via a private network such as SD-WAN, VPN or MPLS technologies. The remote worker uses a split tunnel VPN client to access the collaboration clouds and corporate resources. To the campus worker this model is largely transparent albeit with a better cloud collaboration user experience

From a security standpoint, the attack surface is 3x the single vendor cloud collaboration provider. However, it is expected that each one of these collaboration cloud providers use security tools, such as Assertion’s CollabSecure to address SIP security.

Another big win of a “split VPN” model is, for people that just want to be on the phone / or if the enterprise phone has to be connected always, they do not need to connect to VPN. This leads to better security, because lesser the devices on the network or lesser the time remote devices spend on the network, the better secure the network becomes.

In conclusion, this model is secure, cost effective, scalable and excellent for remote work productivity and user experience.

Summary

If collaboration and collaboration tools are the bane of post COVID-19 remote worker, then instead of trying to force fit yesterday’s network access technology into tomorrow’s problem, enterprises should consider a simple but radically different approach to remote worker access. Let remote workers connect Over-The-Top, from anywhere with any device. Strengthen and invest in remote worker authorization and authentication technology with Single Sign on and an Identity provider. Beef up collaboration (SIP) security with modern continuous, proactive real time tools that monitor, alert and report before issues become headline news. This is the best one can do for remote workers’ user experience and productivity as they struggle to survive and preserve their precious jobs, families and livelihood.

 

Leave a Reply