Security of remote work: How to secure data when working remotely in the public sector (02.06.2020)

Rafał Broda, Project Manager, EXATEL S.A.

Paweł Wojciechowski, Business Development Manager, Fortinet

— Rafał Broda —

Today’s webinar will focus on how to secure your data while working remotely. This will be awareness material to a large extent. To begin with, I would like to emphasise that EXATEL has extensive experience at each administrative level, both in terms of initial projects and conceptual cooperation with various cities, for example the Smart Cities project. We win state tenders for ministries and agencies where both integrated security services and other specialised services are involved. We have also signed some interesting framework agreements thanks to our extensive access network. We take part in local government tenders as our network coverage allows us to do so. Our collaboration with the public sector works a bit like a synergy. We draw knowledge from public organisations in such a way that we have a research and development centre in cooperation with e.g. the Warsaw University of Technology. We react quickly and are able to promptly respond to the needs of Local Government Units. Example: I suspect that some of you have participated in webinars hosted by the Polish Development Fund where we were one of the co-organisers. Our regular technology partner Fortinet has joined us today on the webinar.

— Paweł Wojciechowski — 04:36

Fortinet is celebrating its 20th anniversary this year. From the very beginning, safety was our top priority. Both at the end of the last year and the last quarter, we achieved record results, which shows great customer trust and confidence in our solutions. Over those twenty years, we have strived to be the largest cyber security company. Most of you know us as a firewall developer. One in three firewalls in the world comes from us, and over the years we have developed over thirty product lines. Due to the fact that we focused on organic growth supported by acquisitions, we were able to create a cohesive and integrated cyber security system for you, namely Fortinet Security Fabric. It’s a single system in which these thirty product lines are integrated with each other so you are able to see the full picture of your infrastructure and manage security as well as risk from one console.

— Rafał Broda — 06:00

Let’s begin our sentimental journey. On this slide, I have included some media headlines that, interestingly enough, are only from the last year. What we want to show here is that cybercriminals are not idle. The epidemic only compounded their actions. Cybercriminals are not choosy: they attack at weekends, on weekdays, they attack corporations, small offices and public entities. One thing is for sure – if they can find a loophole, they will resolutely exploit it. If not today, then tomorrow. There are some statistics downloaded by any self-respecting security provider that say you can live in a kind of bliss, a sense of “we are safe”, whereas the statistics are cruel and show otherwise. If we put on a timeline the point when a network was hacked and the point when someone realised it (or there was a ransom demand, or some drives were encrypted), from three to nine months pass (I’m referring to statistics here). There is time that we as administrators can spend on mitigating threats that are out there somewhere in our internal network.

07:34

But let us translate the reality of media headlines into specific cases. We work with you, we sell products, and you share with us the knowledge that has allowed us to create statistics on the most common issues of offices in Poland. I think any of us, if we looked at any of them, would be able to provide some example of a similar incident. There are consequences of potential omissions behind each of these problems. For several years we have been living in the reality of the General Data Protection Regulation which is very restrictive. Last year also saw the first penalty for the office for failing to meet standards under the regulation. There was also the National Cyber Security Act two years ago which, from our clients’ point of view (especially the power generation industry), really rocked the market. This act does not directly affect offices but it is another element that must be remembered. Statistics are also cruel when we talk about tests and controls. There are reports from the Supreme Audit Office and one sentence, from a fairly recent report, which particularly stuck in my mind, is that nearly 70% of the audited offices fail to deal with security. Of course we have to balance the budget, the availability of people, but the problems still exist. How do these problems materialise?

They materialize when attacks happen all the time. In case of local government entities, it is a good thing (as the statistics show) that cybercriminals are constant in their techniques and tools. There are two most common types of attacks here – DDoS attacks and ransomware. Ransomware is the second most common incident we hear about that happens in our national backyard.

Now we will move on to some specific ideas, concepts and solutions and answer the tough questions as simply as possible. It will be a time travel of some sort that we collided with three months ago when the pandemic was declared.

Imagine the classic IT Security administrator. We have a FortiGate unit that has served as our firewall until today. Can we run a VPN gateway with its help?

— Paweł Wojciechowski — 11:35

Yes, you can. FortiGate has many functionalities embedded in the FortiOS. One of them is a VPN gateway. If you already have a firewall, an outbreak has occurred and you need to send employees to work remotely, you can quickly run a VPN gateway on FortiGate and provide your employees with secure remote access. The important thing is that the VPN gateway is part of FortiOS, therefore if you have purchased FortiGate, the VPN gateway is covered by your fee. So, there are no additional licenses for VPN connections.

— Rafał Broda — 12:40

I am not sure if we understood each other correctly regarding the last question. I said I had a firewall as an administrator. But that firewall is actually a firewall. Perhaps it is a software one, perhaps it is already unscalable. We used to try to set up VPN tunnels on it but just setting them up, and thus maintaining and monitoring them, was an ordeal. So, I will put the question in a different way: I don’t have a VPN gateway. What can we do?

— Paweł Wojciechowski — 13:13

There is also a simple answer to this question. You may have Fortigate, but it has, for example, virtually all the capacity used and no room to run additional services. Or you may have another solution on which you cannot run a VPN gateway. The answer is that you need to set up that gateway, and in our case it’s simply FortiGate. You can have this FortiGate as an appliance or as a virtual machine. You buy a device, connect it to the existing infrastructure, run the VPN gateway on it and operate without changing that infrastructure. The second way: you can take this FortiGate as a virtual machine and run the VPN gateway on your private cloud or public cloud.

Due to the fact that the situation found us very quickly and we had to act just as quickly, there were some customers who thought the public cloud was a good solution: you buy a license, set up a VPN gateway in the cloud, connect IPsec tunnels to the existing Forti Firewall infrastructure and you have a working VPN gateway to which remote employees can connect. What distinguishes us is that we have quite a wide range of devices, as well as virtual machines, so you can choose a device according to the size of the VPN gateway you need, or the number of employees you send to work remotely. We have ready-made product packages, but you can also choose individual functionalities.   If you want just a VPN gateway, then the FortiGate “zero” package together with maintenance is enough, and if you want a VPN gateway and security, then you can select the Unified Threat Protection package and you have a classic UTM. Answering Rafał’s question, I would like to add – yes, you have to buy the product, but you have the possibility of adjusting it to your needs, both in terms of hardware, location and the licenses you want to use.

— Rafał Broda — 16:17

It can be said that the situation on the edge of the office’s network is under control. We have a concentrator, whereas as our experience shows us, the aspect that we brutally collided with at the very beginning of the pandemic was firstly awareness building and secondly the lack of mobile devices for our staff. While desktops are manageable and every employee has one, employees were not able to take those desktops home and work. Is there any chance I can connect employees without company computer hardware? Is it a way to do this quickly with their PCs?

— Paweł Wojciechowski — 17:16

If you have had a VPN gateway on the FortiGate, you now need to connect a user who works remotely. This is what FortiClient VPN in the free version is for. FortiClient VPN ensures that a VPN tunnel is created over both SSL and IPSec to the VPN gateway located on the FortiGate. So you can send your employees home, they will download the software from the Internet, install it and smoothly connect remotely and have a secure tunnel up and running. And on the server side you have a VPN gateway set up on FortiGate. So, the FortiGate and FortiClient gateway in the free version, which has only a VPN connection, will give you the ability to securely work remotely.

— Rafał Broda — 18:25

Communications has already been secured, business continuity as well. However, a few days have passed, first emotions have subsided, but before we invite tenders for new, safe, mobile equipment for our employees, people responsible for information security come into action and say: “employees have been given access, they can actually perform their duties from 8 a.m. to 4 p.m. but after 4 p.m. until late in the evening the computer is used for private purposes”. We know how people treat security issues in general. So, how can I address the issue of security of two worlds intersecting here on one device, that is, the world of my company and the private world of my employees. What about the security of remote workers’ computers?

— Paweł Wojciechowski — 19:48

When employees take their computer home, hardware security becomes even more of a priority than in case when those computers were used inly within the company’s walls. There are all sorts of firewalls and security features inside the company that create additional layers of security. When we are at home, those protections may no longer be there and securing the endpoint is an important aspect and mut be ensured. For this purpose, we offer FortiClient in the full (paid) version. When you purchase the license, it has a central management console on the server side, which is called FortiClient EMS, and then from that one central point you can manage the FortiClients installed on the remote workers’ computers. When you have a lot of these computers, this central management is a considerable added value. If you invest in computer security with the full version of FortiClient with central management then, you will get several different functionalities.

The full version of the product has some interesting features, including Fabric Agent which ensures three aspects. Firstly, it ensures telemetry, i.e. information about the endpoint transmitted to the central point of the console, so on the console (and in particular FortiView on the FortiGate), you are able to see the full picture of the managed infrastructure. Secondly, it gives you an application scanner, which means you have a complete list of applications that are on users’ endpoints, and therefore a vulnerability scanner which will show you the vulnerabilities that exist in the applications used by employees. With vulnerability information, you can connect this with security policies on your firewall. How to do it? This can be done so that the firewall policy dynamically gets endpoint information through the EMS console and includes data that if a computer has a critical vulnerability, it will not allow it into the corporate network. This results in much greater security, even if employees work remotely.

The full version of FortiClient also ensures advanced malware protection techniques, including Web Filtering available on the endpoint. The full version of FortiClient is also available on many operating systems. Windows and Mac OS comprise most of the functionalities we offer, but we also support Android and iOS, not to mention Linux. Endpoint safety is extremely important and you should pay close attention to it.

— Rafał Broda — 25:04

Indeed, it looks like we’re dealing with a secure system, but it doesn’t stop there. We already have connectivity, the concentrator is actually there, the endpoints are secured, but there is still something to be added by those responsible for the processes. And they say, “listen, as you know, employees have different levels of authorisation and they should somehow translate into security mechanisms”. It is very common to find that the business hierarchy should be reflected in some secure form of remote access. How to handle such a demand? How can you get to an even higher level of security?

— Paweł Wojciechowski — 26:01

If we already have a secure connection and a secured endpoint, the next aspect we should emphasise is two-factor authentication, which protects us from identity theft, that is, when someone steals the user ID and password. By having two-factor authentication, we are protected from such theft. What you need on the user side is FortiToken, and FortiAuthenticator on the server side which in this particular case will be responsible for managing the tokens in the context of the Fortiges that are in your infrastructure. As far as FortiToken is concerned, it is available in various versions, both in hardware form (USB, token or card) and as an application to be downloaded and installed on mobile devices. The application is preferred by most of our customers because on the one hand it is easy to use, on the other – it is logistically easy to download in times where logistics around the world is difficult. Another thing to know about FortiToken is that they are perpetual licenses, so once you invest in FortiToken once, you will have it forever.

On the server side, there is FortiAuthenticator, which is necessary to support FortiTokens and the authentication and authorization process, and to support FortiGates, i.e. also the VPN gateway. It is connected to Active Directory. FortiAuthenticator can later perform other functions, such as being a certificate server, providing Single Sign On internally, as well as helping you create a website for visitors who come to your office. The product can also be an identity provider for Office 365. As you migrate your e-mail to the cloud and use Office 365 mail, because FortiAuthenticator supports the SAML 2.0 protocol, it is able to manage identity and access with regard to Office 365 from your office. The investment in FortiAuthenticator, in the context of two-factor authentication, can therefore pay for itself in the long term by implementing other functionalities that are available as part of the solution.

— Rafał Broda — 29:37

We seem to have built quite an interesting system. We’ve provided the connectivity, we’ve met the information security requirements, we’ve separated the hierarchy, so let’s see what came out of those components.

— Paweł Wojciechowski — 29:54

A pretty interesting picture have emerged. To recap the story we’re telling: we started by building a VPN gateway, and that’s the FortiGate on the Data Center side, which can be set up on your premises, but can just as easily be set up in a private or public cloud. To provide remote connectivity, we talked later about FortiClient in the free version, which just has the ability to create a VPN tunnel, so you’re able to send people home and very quickly start a secure remote work. When you are at home, computer security is important, so the FortiClient full version with the FortiClient EMS central management console, integrated with FortiGate, is the solution that will ensure the security of both computers and mobile devices. Then, to strengthen security and insure against identity theft, it is worth investing in two-factor authentication, for which you need a FortiToken on the user side (we recommend FortiToken in the form of an application) and a FortiAuthenticator on the Data Processing Center side, which will be a link to Active Directory and will manage tokens and the process of identity management and authorization.

What also appears in this image are the FortiSIEM, FortiAnalyzer and FortiManager solutions and this is the management part of the solution that we’ve been able to create here. If you have a larger infrastructure, more extensive and multi-branch, then it is worth considering and going in the direction of a central place to manage these devices, but also to manage security incidents. This is what FortiAnalyzer and FortiManager are for. As you can see, Fortinet has a lot of solutions. Fortinet Security Fabric is an integrated cyber security system and we have solutions that address virtually every single challenge when it comes to security in your organisation. What we are talking about today is just a small part of this system because there are many other solutions that we will cover in future webinars.

— Rafał Broda — 33:00

How can EXATEL protect me in this model we are discussing today? The names of the systems and communication buses that appear here probably tell you a lot, and in each of them EXATEL is either a leading supplier or has direct access to these resources. We see a portfolio of customers for our services below the names of the systems and these are services of all kinds, related to both telecommunications and cyber security. Throughout the years of our presence in the structures of the Ministry of Defense, the company has also developed a certain culture of security which results in the slogan “EXATEL – The most secure Polish network” being very true. The experience from these projects and systems has been translated into some kind of specific solutions. The solutions which we communicate to both the public and commercial markets.

We have dedicated teams to handle security, with people who have relevant experience assured by certificates. A derivative of operating in the Ministry of Defense is also the fact that we have certification with corporate military standards.

To conclude today’s webinar, I’d like to highlight one product in particular which is the managed firewall service offered by EXATEL, created from scratch by us. This solution protects both the edge of our network and can be a VPN concentrator, or a classic UTM and in our opinion, if well configured, it is able to actually prevent ransomware attacks. The firewall service itself can be deployed either in a model at your location, in the EXATEL Data Center, or as a virtual machine on your resources in public clouds. We are flexible in this respect and you are welcome to ask our sales consultants for assistance if necessary. Why are you welcome to contact our sales consultants? Because it is not a list price service. Each time the price of this service goes through a requirements screening process. Customers are different and have different requirements, and Fortinet product line is very long and the spectrum of these functionalities is very wide. What we are able to deliver is full integration. We integrate the service into your environment as far as this is possible under the existing conditions. Of course, we prefer to sell this service under a monthly subscription. It is the model we recommend, it performs quite well and takes all the hassle of maintenance, service and patches off your mind. You get a finished security protection product. And that’s it when it comes to Managed Firewall.

— Questions — 37:51

“What mode of remote work/connection do you recommend?”

Paweł: I would recommend a VPN. Whether SSL or IPSec, it is a matter of individual choice and preferences. In our experience, most EXATEL customers choose SSL VPN. We observe it, too. You can of course run RDP sessions but you have to be careful with that because such sessions consume quite a lot of memory. They make life a little easier because you can launch applications from the browser, but they consume memory, and the memory in the device is finite. So, if someone has a VPN gateway in the cloud, where the memory limitation does not exist, then they do not have to worry about it, but if it is a device, then you have to approach it carefully or and make detailed calculations. My recommendation is a VPN.

39:32

“Is it possible to manage FortiTokens directly from FortiGate without the help of FortiAuthenticator?”

Paweł: Yes, it is, whereas our recommendation goes to FortiAuthenticator. Why? We have one FortiGate and a gateway set up there where you can enter FortiTokens and manage them from the FortiGate. When you replace the unit, you will need to manually retype that by contacting our service desk. The process is therefore complex. When we have more FortiGates, because it’s a multi-site infrastructure, then FortiTokens have to be entered on each FortiGate separately, and that’s not a cool thing anymore. So, FortiAuthenticator, standing back, connected to Active Directory, is a great solution that facilitates the central management of FortiTokens, but also the process of identity and authorization management.

41:00

“What about the division of management responsibilities for the device? Is the VPN is managed by EXATEL and the firewall still by us?”

Rafał: This is one model that we adopt, but it is not recommended. Why? Intersecting areas of jurisdiction between managers cause – in the case of some quest submissions – requests for changes of so-called ping-pong. We’re not saying “no”, but from experience we prefer the managed service model. It involves the removal of any engineering/deep engineering needs on your side.

42:24

“What is the fundamental difference in security between the Fortinet solutions presented here and the popular method of working remotely via applications like TeamViever, AnyDesk, etc.?”

Rafał: Generally, these are RDP solutions and it is a slightly different level of security. With FortiClient we give the user full usability, they can process documents locally at home. It’s hard to say which solution is better, which is worse as they are different and hard to compare.

Paweł: I think it is something completely different. We provide the ability to create the infrastructure for secure remote work and connect from anywhere in the world to the headquarters, and applications and other things are applied on top of that. I’ve dealt with AnyDesk when IT supports users remotely through a remote desktop. I don’t have an opinion on this because they don’t allow you to work remotely from anywhere in the world.

It also seems to me that the Fortinet infrastructure gives more universal security at the infrastructure level.