Securing Remote Access While Protecting Against Encrypted Threats

Jay Kelley Miniatura
Jay Kelley
Published May 18, 2020

As many non-essential businesses remain closed to help stop the spread of COVID-19, prompting employees and contractors to work from home or remotely for at least a few more weeks, organizations are beginning to shift their technology concerns from securing application access and maintaining user productivity, toward application security.

At the same time, attackers continue to seek out opportunities as users continue to work from home or remotely. As F5 CEO François Locoh-Donou rightly pointed out during F5’s recent quarterly earnings call, attackers prey on curiosity. With this curiosity now piqued, attackers attempt to gather more information about how organizations are attempting to secure applications and data access for their remote users. They are trying to steal insight into personal stimulus checks or small business grants and loans through the Paycheck Protection Program (PPP). Combine this with the increased use of potentially vulnerable home networks—as well as the heightened use of business and personal devices over those networks—and attackers now have burgeoning new opportunities to steal business and personal data.

What Today’s Threats Look Like

Phishing and spearphising attacks have risen significantly as former office dwellers have shifted to working from home or remotely. Phishing websites have grown—and continue to grow—exponentially during this time as well, many using COVID-19 misinformation or fake cures as a lure. Credential theft attacks have also exploded. Attackers are using phony calendar and video conferencing invitations, some with titles like “HR – Layoff Discussion” or the like, to frighten and entice users to click on the invitation. The users then find themselves on a convincing but fake login page, where their credentials are stolen. Ransomware continues unabated. And, a new threat—videobombing—has emerged, where attackers insert themselves in video conferences to annoyingly disrupt meetings, or even surreptitiously recording private video conferences to steal sensitive corporate information.

So, corporate security operations (SecOps) and IT teams now need to worry about securing remote access from virtually everywhere to applications and critical data—for nearly their entire workforce—almost overnight. And at the same time, they also must be cognizant of the fact that employees, contractors, and other personnel working from home may be using easily compromised home networks to access critical applications and data.

Securing remote access helps alleviate some of those concerns. F5 BIG-IP Access Policy Manager delivers a secure remote access solution, via SSL VPN. SSL VPN enables home-based and remote workers to access their corporate network through a secure, encrypted tunnel. The tunnel is encrypted on both the inbound and outbound routes with government-grade 2048-bit key encryption. Every application or file that a home or remote worker accesses passes through a secure, encrypted tunnel.

But, what happens when a user opens their browser and accesses a website while connected via VPN to their corporate network and applications? Or, accesses their personal, web-based email and clicks on a link in an email they’ve received? How can SecOps or IT be sure that the user isn’t sending out sensitive corporate data masked by encryption to that website? Or, that the encrypted website the user is going to doesn’t lead to a malicious command-and-control (C2) server, waiting for communications to trigger an advanced persistent threat (APT) already lying in wait on their network? Or even that the encrypted website or web application being accessed isn’t downloading new, more insidious malware to launch on their network?

Protecting Customers and Their Employees

F5 SSL Orchestrator protects against encrypted threats. It’s a centralized point to decrypt and re-encrypt both incoming and outgoing encrypted traffic. According to F5 Labs, Chrome, the most widely used web browser, now fetches over 86% of web pages over secure HTTPS connections; Firefox grabs HTTPS page loads at a still impressive 80.5% average.

They are hiding malware and other malicious payloads in encrypted traffic. While different solutions in an organization’s security stack are able to decrypt encrypted traffic, those same devices were never designed to address the computationally intensive task of decrypting and then re-encrypting, meaning they often cannot support or enforce the robust security capabilities they were purchased for in the first place. These devices can simply fail when trying to decrypt traffic, or may allow traffic to bypass inspection completely, or they may not be able to address the latest encryption protocols and ciphers, increasing the chance of threats entering the network. Moreover, if all of the security devices are run in sequence or are daisy-chained, there is a risk that if a security device breaks down, goes offline, or needs to be replaced, traffic may again bypass uninhibited because a link in the chain has been broken.

F5 SSL Orchestrator enables SecOps and IT to design dynamic service chains, allowing just the security solutions needed to inspect decrypted traffic for specific traffic types to check that traffic, based on SSL Orchestrator’s contextual policy engine. The traffic is automatically steered by SSL Orchestrator to the appropriate dynamic service chain, checked by existing security solutions earmarked for that traffic in the security stack, then redirected back to SSL Orchestrator for re-encryption.

Combining BIG-IP APM and SSL Orchestrator empowers organizations to secure access to their network, applications, and data by employees, contractors, and other users now working from home or remotely. In addition, these solutions protect users who have already securely accessed the organization’s network, applications, and data remotely from intentionally or inadvertently exfiltrating sensitive data, communicating with nefarious command-and-control servers, or downloading malware hidden within encrypted traffic via phishing or other attack methods. Simply put, F5 enables and secures apps and access to them from anywhere.

For more information on F5 BIG-IP APM, please click here.

For more information on F5 SSL Orchestrator, please click here.