The COVID-19 outbreak has disrupted “business as usual” for organizations across the world. For communications service providers, and other organizations designated as essential, the requirement to remain open and to continue offering essential services may conflict with the desire to be a good citizen and help to slow the spread of the outbreak.
One broadband and hosting provider and managed security services provider (MSSP) had no telework program prior to the COVID-19 pandemic. However, by leveraging an existing investment in Fortinet solutions, this organization managed to transition over 2,000 employees to remote work in a few days with no additional capital expenditure (CapEx).
Leveraging Existing Solutions to Secure a Remote Workforce
The telecommunications provider had FortiGate next-generation firewalls (NGFWs) already deployed on the corporate network; primarily leveraged for outbound connectivity. With no previous work-from-home policy, the organization was accustomed to handling less than 20 inbound virtual private network (VPN) connections per day. Suddenly, it needed to provide more than 2,000 employees with a secure connection to the corporate network.
Enabled by Fortinet’s Security-Driven framework, a FortiGate NGFW has an additional ability to act as a VPN aggregator powered by a custom network processor, enabling it to terminate inbound VPN connections at high volume and with an industry-best connections per second. In addition, it is also able to perform deep packet inspection, and identify malware and other threats with its integrated web filtering, application control, intrusion prevention, network-based antivirus, DNS filtering, and other unified threat management features – all powered by an additional, custom designed content processor that enables performance metrics many times greater than competitive solutions. This meant that this telecommunication organization not only already had the protection needed to encrypt and inspect data-in-transit, but also advanced layer 7 security designed to prevent cyberattacks by leveraging the hardware acceleration provided by Fortinet’s industry-first security processing units (SPUs).
The free FortiClient endpoint protection software provided the other half of the solution. Employees could install the client software on either business or personal devices and use it to create an encrypted connection to the enterprise network. This free client combined with the innate capabilities of their existing FortiGate solution enabled the organization to rapidly roll out VPN connectivity to its entire workforce without incurring any additional costs.
One unforeseen challenge was that many employees’ home ISPs blocked non-standard ports on their Internet connections, so an IPsec VPN was not a viable option for remote work. Fortunately, FortiClient also supports SSL VPN connectivity, enabling all traffic to be routed over port 443, which is not subject to the same restrictions.
The FortiClient software also enabled the organization to solve issues with telephone connectivity. With employees away from their desks, they had trouble contacting one another on the phone since they did not have each other’s personal phone numbers. By transitioning to softphones, with traffic routed over their VPN connections, these employees now have access to the full capabilities of their business phone system. At the same time, the organization was able to be confident of the security of this new virtual phone system, as all telephone traffic is now inspected and secured by FortiGate NGFWs.
Maintaining Compliance While Working Remotely
Transitioning to remote work due to COVID-19 or similar events does not excuse an organization from its obligations to data protection regulations or contracts. By leveraging the capabilities built into its existing Fortinet solutions, however, the telecommunications provider was able to continue to meet compliance and contractual requirements despite now supporting a mostly remote workforce.
Guidance from the Payment Card Industry Security Standards Council (PCI SSC) on remote work requirements focuses on controlling access to devices and communications channels carrying sensitive data. The main requirements are that an organization deploy multi-factor authentication (MFA), have a firewall in place, use a VPN, and restrict access to parts of the enterprise network processing sensitive data. Other data privacy regulations and contractual obligations have similar requirements.
The organization was able to meet all of these requirements with no additional investment in security hardware. As previously discussed, their existing FortiGate NGFWs, deployed at the network perimeter, provided VPN connectivity. With Fortinet’s full suite of unified threat management (UTM) solutions already deployed, the organization was able to ensure that malicious content was identified and remediated before it reached the enterprise network. This was essential, as a shortage of company laptops meant that some employees were working with untrusted personal machines.
The organization’s existing firewall deployment included two layers of FortiGate NGFWs, making it easy to implement internal segmentation for inbound VPN connections. All VPN connections were terminated and inspected at the outer layer of firewalls. The inner layer of firewalls provided defense-in-depth and limited external access to sensitive data and functionality, such as their hosting and service provider business.
Finally, the organization provided FortiToken time-based one-time password tokens to its entire remote workforce. Combined with the FortiAuthenticator user identity management server, this enabled the organization to implement MFA and single sign-on (SSO) for all teleworking employees. In addition to meeting compliance requirements, these MFA and SSO also limits damage from phishing attacks – which have grown more prevalent during the COVID-19 outbreak – since usernames and passwords potentially stolen from such attacks are still not enough to gain access to organizational assets.
Meet New Business Needs with Existing Technology
Prior to the COVID-19 outbreak, this telecommunications provider had no remote work policy and limited VPN support. Within a matter of days, thanks to Fortinet solutions already in place, the organization’s entire workforce was able to transition to secure remote access to the organization’s network.
When developing business continuity plans, it is vital to understand the full capabilities of an existing security deployment. For this company, the VPN functionality integrated into their existing FortiGate NGFWs enabled a rapid, secure transition to a remote workforce.
Written By Jonathan Nguyen-Duy | Powered by Fortinet, Delievered by IT Vortex.