Companies have implemented unprecedented global work/learn-from-home policies, making VPN gateways a critical business lifeline. After all, employees that cannot access key business applications cannot do their jobs. But this crucial link is also vulnerable to distributed denial of service (DDoS) attacks, as noted in a recent joint statement from the United States Department of Homeland Security and the United Kingdom’s National Cyber Security Centre. Indeed, even the smallest DDoS attack now poses a significant threat to bandwidth-saturated gateways. To build a truly robust VPN support strategy, IT teams must protect this vulnerable access point from cyber attackers. That means building DDoS protection into their plans from the outset.
Here’s what NETSCOUT recommends:
- Take advantage of built-in protection. Major software-as-a-service (SaaS) providers often already have DDoS protection to maintain the availability of their services, so whenever possible, use SaaS-based services for things such as everyday business applications, content sharing, collaboration, and communications.
- Double check that you are using the best current practices (BCPs). Implementing BCPs for network infrastructure, servers, and services such as DNS is key to building in attack resilience. For starters, make sure you’ve deployed intelligent DDoS mitigation systems to protect all public-facing servers, services, applications, data, and support infrastructure such as remote access technology against DDoS attacks.
- Use dedicated internet transit links for VPNs. Using links not associated with components such as DNS servers and public-facing websites can cut down on the likelihood that events such as DDoS attacks will prevent remote security operational IT from responding when their skills are needed the most.
- Use remote-access integration. Make sure that remote-access mechanisms are integrated with the organization’s authentication, authorization, and accounting systems, and require the use of multi-factor authentication (MFA) technologies for user access.
- Get smart about DNS naming. Many attackers do their homework before launching targeted DDoS attacks, so don’t make their jobs easier by doing something like using the string “vpn” in DNS resource records for VPN concentrators. Instead, choose a DNS naming convention that provides useful information to operational personnel while keeping attackers in the dark about key functional areas.
Hildebrand is a senior strategic marketing writer at NETSCOUT.
- Business Continuity