Remote Work Security: Key MSSP Focus Areas


The global COVID-19 pandemic has created huge disruptions to our economy and daily lives.

Author: Brendan Patterson, VP of product management, WatchGuard
Author: Brendan Patterson, VP of product management, WatchGuard

Over one third of the world population is in some form of lockdown, forcing a huge increase in the number of people that have been forced to work from home now. Many companies have had to make the transition rapidly. And like any major crisis, hackers are looking to exploit people’s insecurities for their own gain. It’s important for MSSPs to work with their existing customers and any new customers that are looking for help to make sure that there are no security holes in the new remote work environment.

Below I cover some of the technologies that underpin secure remote work environments.

Remote Access

Virtual Private Networks (VPNs) are used to provide a secure tunnel from remote locations back to central office. There are several different types of mobile or remote user VPN technology available to use. It’s important that MSSPs understand the pros and cons of each as they assist their customers:

  • IKEv2 is the newest version of the IPSec standard, and it the fastest option. Clients are included natively in Windows, Mac OS, iOS, and Android (strongswan) now. But some ports need to be open – UDP 500 and 4500.
  • IPSec VPN is not considered as secure because of a known aggressive mode vulnerability. I recommend that you configure a certificate instead of a pre-shared key with this option.
  • SSL VPN are probably the most widely used remote VPN, since no special ports need to be open. But they are not as fast as the IPSec based options.
  • L2TP is another option based on IPSec standard used mostly for legacy operating systems. I would not recommend this in new deployments.

With all the mobile VPN options, I recommend a default route tunnel where all of the traffic is tunneled back to the central firewall for full security inspection. Some firewall vendors sell additional VPN licenses with the firewall, whereas others include the full capacity of license with each model. Make sure that you understand your vendors’ policies in this area.

Avoid opening up Remote Desktop Protocol (RDP) directly to the internet. The internet is continuously being scanned for open port 3389 (the default RDP port). Open access will be attacked. Although most RDP clients are secured with TLS, username and password credentials alone are not secure. RDP should be protected with strong authentication and VPN solutions.

One popular option for RDP now is to use Clientless VPN solutions where just a browser is required to access the RDP session remotely over the internet.

Endpoint Security

Ensure that some form of endpoint security protection is enabled on devices used for work in the home. MSSPs should also educate users at their clients about security best practices. A regular newsletter with tips and tricks for secure remote working may be a good idea in these times. Include recommendations like changing default passwords on home routers. Where possible, users should segregate and keep the work computer separate from other devices in the home. Make sure that there are regular backups. Ransomware can easily target users working in the home environment.

Multi-Factor Authentication

Using stolen credentials to breach network resources is the #1 tactic that hackers use. By requiring additional proof of identity beyond a simple password, multi-factor authentication is the single most important safeguard to protect your business. MFA should be applied to logins to cloud hosted (SaaS) applications, and also to VPN access to corporate networks. All of the VPN options that I mention above can be secured with MFA. Look for solutions that can leverage existing smartphones instead of requiring the deployment of hardware tokens.

How Can We Help?

During these unprecedented times, many vendors are providing free services to help you better support your customers. WatchGuard is offering free 120-day trials of WatchGuard Passport which offers remote workers Cloud-based MFA and DNS-level protection for users while they’re at home. Learn more about Passport and our trial program here.

Guest blog by Brendan Patterson, VP of product management, WatchGuard. Read more WatchGuard guest blogs here.