Availability in the Time of COVID-19
The self-quarantine and social distancing guidance provided by governments around the world in response to the COVID-19 pandemic is leading to a rapid and wholesale switch to remote work for many organizations and significant populations of their employees worldwide. To varying degrees, organizations have been accommodating and even encouraging remote workforce participation for many years; however, relatively few sizable organizations have been forced to contend with a large majority of their employees simultaneously accessing internal resources remotely over extended periods of time.
Institutions which have already been in the sights of attackers for years — governmental agencies, healthcare organizations, financial institutions, online gaming providers, schools and universities — will in many cases see an increase in attacks intended to disrupt their core business functions. Likewise, many more regionally-focused entities which rely heavily upon online services for the operation of their businesses will also likely face additional risk as bad actors both think and attack locally.
And over the last several weeks, it has become apparent that as increasing numbers of organizations (including schools and universities) have curtailed or suspended in-person activities, both inadvertent outages caused by increased demand for online services as well as deliberate DDoS attacks against the Internet properties of governments, enterprises, online gaming providers, food delivery networks, et. al. have occurred with increasing prominence. In particular, as the population of those working and learning from home increases dramatically in the coming weeks, attackers for the first time have the potential to disrupt not only the public-facing Internet properties of enterprise organizations, but also the daily workplace routines of hundreds of thousands of employees who are dependent upon remote access solutions such as VPNs to perform critical job functions.
This increase in the importance of remote access capabilities to all types of organizations means that it is imperative that they work to ensure that all elements of their remote access infrastructure are protected against DDoS attacks. While every organization must take into account its own particular requirements, the following list of best current practices (BCPs) for remote access infrastructure is intended to provide additional guidance on how to maximize the availability of remote access capabilities even as their importance increases by orders of magnitude.
Best Current Practices (BCPs) for Resilient Remote Access
- Whenever practicable, consider making use of cloud-/SaaS-based solutions for common functionality such as office productivity suites, file and content sharing, online collaboration and communications, etc. Many major providers of these solutions have implemented scalable, high-availability solutions which include robust DDoS mitigation capabilities.
- Implement self-protection best current practices (BCPs) for network infrastructure/server/service elements in order to increase their resilience to attack. Ancillary supporting services such as DNS should be designed and implemented in a scalable, distributed, and compartmented manner.
- For remote-access infrastructure, devise and implement situationally-appropriate network access policies in order to ensure that only relevant network traffic types are allowed to reach VPN concentrators, remote-access ‘jump boxes, et. al. For example, the network access policy for a generic SSL/-TLS-based VPN concentrator will resemble that for an SSL-/-TLS based Web server, with some variations. Likewise, an IPSEC-based remote access VPN concentrator will require a network policy which supports the relevant protocols necessary for its operation which differ in substantial detail from an SSL-/TLS-based system. And for fixed site-to-site VPNs, CIDR-based network access policies should also be implemented.
- Integrate remote access mechanisms with the organization’s AAA systems, and require the use of 2FA technologies for user access.
- Implement sensible per-session bandwidth (bps) and throughput (pps) quotas on remote access sessions.
- Ensure that remote access session termination capacity, bandwidth, and throughput are horizontally scalable so that they can be supplemented as demand warrants.
- Develop, evangelize, and enforce situationally-appropriate acceptable use policies (AUPs) for personnel working remotely. In particular, given the prevalence of DDoS attacks related to online gaming, organizations should strongly consider disallowing playing online-games while making use of VPNs or other remote-access capabilities.
- Whenever possible, make use of split-tunneling remote access policies so that non-organizationally-related Internet traffic is not routed through the organization’s remote access infrastructure.
- Deploy remote access infrastructure on dedicated Internet transit links which are not conflated with public-facing Web properties, DNS servers, campus LAN access network traffic, and other applications. This is critical in order to lessen the likelihood of potentially availability-impacting events such as DDoS attacks impeding the ability of remotely-working security and other operational personnel to respond when their skills are needed the most.
- Organizations with significant geographically-concentrated employee populations should determine the most prevalent wireline and wireless broadband access providers utilized by employees in each region (simply parsing VPN concentrator logs is a good way to gain useful insight in this regard), and consider ‘paid peering’ with those broadband providers for unique CIDR blocks allocated solely for remote access infrastructure. This type of limited-scope peering arrangement can result in substantial gains in terms of remote access network performance, easier resolution of reported connection difficulties, and a decreased DDoS attack surface for remote access infrastructure due to limiting the number, scope and depth of networks which legitimate remote access traffic must traverse in order to provide remote connectivity to employees.
- Regionalized remote access network infrastructure can help distribute Internet and Intranet network loads related to remote access, while at the same time ensuring increased resilience to attack or other potential service interruptions.
- Implement scalable network visibility tools which make use of flow telemetry exported from Internet transit edge routers. Netscout Arbor Sightline is a commercial solution which provides DDoS attack detection, classification, and traceback, as well as network traffic analysis for peering, capacity planning, and troubleshooting applications. There are also flow telemetry-based open-source tools available which can provide useful functionality on limited budgets, and also allow organizations to gain valuable operational experience which is useful in evaluating potential commercial solutions as budgeting and business cycle considerations allow.
- Implement packet-level network visibility tools within the public-facing network infrastructure in order to provide complementary microanalytical capabilities, when appropriate.
- Given the propensity of more sophisticated attackers to perform detailed reconnaissance prior to launching DDoS attacks against targeted organizations, consider implementing a DNS naming convention which provides useful information to operational personnel, but which does not provide attackers insight into key functional areas. In particular, avoiding use of the string ‘vpn’ in DNS resource records (RRs) for VPN concentrators should be considered.
- Ensure that all public-facing servers, services, applications, data, and ancillary supporting infrastructure — including remote access elements — are protected against DDoS attacks via commercial DDoS mitigation services, organic intelligent DDoS mitigation systems (IDMSes) such as Netscout Arbor TMS and AED, or hybrid solutions incorporating both on-premise and upstream mitigation capabilities.
- For organizations which have yet to implement IPv6, a pilot project to provide remote access via IPv6 may be a good way to gain valuable operational experience in a limited-scope environment. Given the increase in IPv6 support among both wireline and wireless broadband access providers, as well as broad IPv4/IPv6 feature parity for both commercial and open source remote access solutions, many of the perceived challenges to deploying an IPv6-enable remote access capability have been minimized or eliminated entirely. Note that all relevant BCPs for network infrastructure and servers/services/applications should be implemented for IPv6 just as for IPv4, as well as support for IPv6 in ancillary supporting services such as DNS.
AIF-entitled Netscout Arbor Threat Mitigation System (TMS) customers will receive access to example AIF Templates illustrating BCPs for protecting both SSL-/TLS- and IPSEC-based remote access VPN concentrators against DDoS attacks. As always, we recommend that AIF Template countermeasure settings be modified in a situationally-appropriate manner in order to ensure optimal availability of protected assets.
The ability to successfully deliver applications, services, data, and content under adversarial Internet conditions has rapidly become the single most mission-critical function for entire classes of organizations which have until recently viewed their online presences as being of merely secondary importance. The good news is that in lockstep with this profound broadening and deepening of the importance of the online economy, Internet-scale defenses are both widely available and within the reach of organizations of every size, locale, and category; and we at Netscout Arbor remain committed to working to increase the security and stability of the Internet as a whole, for the benefit of all.
- Arbor Networks - DDoS Experts