A comprehensive guide

How to secure your remote workforce and protect your business with a secure VPN

Table of contents

Table of contents

Download the complete guide

Introduction: COVID-19 creates urgent need to enable secure remote workforce

As the COVID-19 outbreak became a pandemic and increased in prevalence within the U.S., shelter in place orders were issued across the country. Seemingly overnight, the majority of most companies’ workforces were told they couldn’t come into office – that they needed to work from home.

  • 57% of employed Americans say their employer is offering them flex time or remote work options as of April 2.
  • 62% of employed Americans say they’ve worked from home during the COVID-19 crisis.
  • Three in five U.S. workers who have been working remotely during the coronavirus pandemic prefer to continue to work remotely as much as possible after public health restrictions are lifted.

As COVID-19 has called for all enterprises and employees to adapt our workdays to accommodate the new reality, malicious actors have also adapted, and they’re taking advantage of the pandemic to launch cyberattacks. COVID-19 cyberthreats are running rampant as humans are changing behavioral patterns in response to the crisis.

Meanwhile, employees are growing accustomed to a more flexible work environment. In a short period, enterprises across every industry have figured out how to run near fully remote businesses, providing employees with all the resources they need to work from home. By and large, newly remote companies are realizing it’s possible to uphold a strong, healthy company culture that makes employees feel connected while working from home full time. Through a combination of video conferencing, emphasis on work life balance and collaboration among remote teams, the global perspective on remote work is undergoing a major change.

As a result, corporate leadership across industries was forced to ask the questions: How do we stand up an entirely remote workforce?, How do we manage remote employees? and How do we secure our mobile workforce? From a technology standpoint, most companies who are not traditionally fully remote can provide connectivity, hardware and infrastructure to enable a fixed percentage of workers to work from home. When shelter in place swept the nation, nearly every business’ static remote portion of the workforce skyrocketed. It’s undeniable that the future of work is transforming. Now, enabling the secure remote workforce is the key to supporting business continuity.

What is remote access?

Remote access provides end users with the ability to access resources on the corporate network from a distant location. The most common function of remote access is to enable employees who are traveling or telecommuting to connect to the company network and access resources such as internal applications, intranet, mail services and file sharing.

In the past, remote access was a service that companies provided through dial-up modems. In order to avoid the expense of long distance or toll-free phone lines, companies started adopting remote access methods that took advantage of public networks over the internet. The evolution of internet technology led to a parallel growth in remote access with more adaptive, secure options.

How do companies provide remote access to employees?

The predominant method of providing remote access is via a VPN connection. Normally, a user has no expectation of privacy on a public network, as their network traffic is viewable by other users and system administrators. A VPN creates a “tunnel” that passes traffic privately between the remote network and the user. The tunnel protects the traffic and keeps it safe from interception or tampering.

An emerging model of remote access provides the benefit of a tunnel for broad application support while retaining strong control over access to applications through the next-generation firewall security policy. This approach allows administrators to safely enable remote user activity and access on the network. Combining the benefits from earlier implementations, this model is the most secure and practical remote access solution available today.

What is a VPN?

A virtual private network allows you to safely connect to another network over the internet by encrypting the connection from your personal device. Essentially, it’s a way to connect to the corporate network without being in the physical location of the office or campus. It allows for remote employees working outside of the office to connect beyond the perimeter of the typical corporate environment in a secure manner. A VPN allows remote employees to become an extension of the network as if they’re in the office with the same security and connectivity benefits. Think of it as a secure network line from a user to applications, whether those applications reside in a private data center or on a public network.

A VPN makes your internet connection more secure and offers privacy online. Organizations, governments and businesses of all sizes use VPNs to secure remote connections to the internet for protection against malicious actors, malware and other cyberthreats. Personal VPNs have also become widely popular as they keep users’ locations private, safely encrypt data and allow users to browse the internet anonymously.

With the remote workforce rapidly becoming more commonplace, enterprises across all industries are moving outside of the HQ perimeter together, but employees still need a secure way to access applications and data to do work.

There are two types of VPN:

  1. Site-to-site VPN is used to connect branch offices to a central office over the internet when distance prevents direct network connections.
  2. Remote access VPN allows individual users to remotely connect to a central network. In this case, the devices are referred to as endpoints

Why a secure VPN combined with remote workforce technologies is the answer to remote work challenges

The only way to secure your remote workforce is a secure VPN. Employees must connect from their laptops, desktops and mobile devices over a VPN connection. It’s the secure, private method for virtually entering the corporate office, so to speak.

In many cases, remote workforce technology requires hardware. At present, obtaining hardware quickly is difficult with shipping delays taking place globally. Fortunately, there are other ways of connecting employees to the corporate network from home while ensuring their user experience isn’t compromised. People can work productively without delays using a VPN.

How does a VPN work?

As mentioned above, a VPN creates a private connection known as a tunnel. All information traveling from a device connected to a VPN will get encrypted and go through this tunnel. When connected to a VPN, a device behaves as if it’s on the same local network as the VPN. The VPN will forward device traffic to and from the intended website or network through its secure connection. This allows your remote users and offices to connect securely to a corporate network or website. It also hides your IP addresses from hackers and prying eyes.

With a VPN, data traverses the internet through a secure tunneling protocol, where it’s encrypted to stop any third party from reading your data as it travels. The two most popular network protocol suites for encryption are:

  1. Secure Sockets Layer (SSL) or, more recently, Transport Layer Security (TLS)
  2. Internet Protocol Security (IPsec)

Essentially, encryption scrambles the contents of your information – making it unreadable – in a way that can only be decrypted using a key. The tunneling protocol also encapsulates the data with routing information for the receiving user. Once received, the remote access connection is subject to an authentication, authorization and accounting server program, which authenticates the user, authorizes access and accounts for all online activity for the duration of the connection.

What is a remote access VPN?

A remote access virtual private network enables users who are working remotely to securely access and use applications and data that reside in the corporate data center and headquarters, encrypting all traffic the users send and receive.

The remote access VPN does this by creating a tunnel between an organization’s network and a remote user that is “virtually private,” even though the user may be in a using a public WiFi hotspot in a coffee shop, for example.

It's critical to note that with applications moving to the cloud, users don’t need to connect as often to the remote access VPN. Poor internet connectivity and bandwidth causes users to disconnect, as internet traffic is directed to the datacenter and then out to the public. Disconnected users present a security problem, however: Organizations lose visibility and control over user traffic. To address this shortcoming, security teams often add point products, such as proxies, to handle traffic when users are disconnected from the VPN. This is creating an issue with security, with different traffic paths following different security policies.

A more recent approach is to use a Secure Access Service Edge (SASE; pronounced “sassy”), which replaces the mix of VPNs and point products with a combination of networking and network security delivered as a service from the cloud. Using SASE, an organization doesn’t have to maintain a separate stand-alone proxy or VPN. Rather, users connect to a SASE solution (which provides access to the cloud and data center) with consistent security.

What is a site-to-site VPN?

A site-to-site VPN is a connection between two or more networks, such as a corporate network and a branch office network.

Site-to-site VPNs are frequently used by companies with multiple offices in different geographic locations that need to access and use the corporate network on an ongoing basis. With a site-to-site VPN, a company can securely connect its corporate network with its remote offices to communicate and share resources with them as a single network. remote access VPN. Disconnected users present a security problem, however: Organizations lose visibility and control over user traffic. To address this shortcoming, security teams often add point products, such as proxies, to handle traffic when users are disconnected from the VPN. This is creating an issue with security, with different traffic paths following different security policies.

Example of a site-to-site VPN
Example of a site-to-site VPN

Site-to-site VPNs and remote access VPNs may sound similar, but they serve entirely different purposes.

  • A site-to-site VPN

    is a permanent connection designed to function as an encrypted link between offices (i.e., “sites”). This is typically set up as an IPsec network connection between networking equipment.

  • A remote access VPN

    is a temporary connection between users and headquarters, typically used for access to data center applications. This connection could use IPsec, but it’s also common to use an SSL VPN to set up a connection between a user’s endpoint and a VPN gateway.

Companies have traditionally used site-to-site VPNs to connect their corporate network and remote branch offices in a hub-and-spoke topology. This approach works when a company has an in-house data center, highly sensitive data and applications or minimal bandwidth requirements. However, now that most companies have moved their applications and data to the cloud and have large mobile workforces, it no longer makes sense for users to have to go through an in-house data center to get to the cloud when they can instead go to the cloud directly.

Consequently, companies need to set up network topology with access to the cloud or data center applications. This is driving organizations to set up network architectures that do not depend on bringing all traffic back to headquarters.

As explained above, a SASE delivers the networking and network security services companies need directly through a cloud infrastructure. Moreover, SASE offers multiple security capabilities, such as advanced threat prevention, credential theft prevention, web filtering, sandboxing, DNS security, data loss prevention (DLP) and others from one cloud-delivered platform.

This allows companies to easily connect their remote offices; securely route traffic to public or private clouds, software-as-a-service (SaaS) applications or the internet; and manage and control access.

Why do you need a VPN connection to securely power your remote workforce?

Allowing employees to work remotely requires the ability to access company data and software resources at the source. While providing that remote access is convenient for employees and often a productivity advantage, it requires the right measures to enable a secure remote workforce, support business continuity and protect your network because information security is a major concern. A VPN connection is the A1 way to enable your remote workforce while also effectively securing it. source. While providing that remote access is convenient for employees and often a productivity advantage, it. requires the right measures to enable a secure remote workforce, support business continuity and protect your network because information security is a major concern. A VPN connection is the A1 way to enable your remote workforce while also effectively securing it.

A quick look at the security landscape of today shows what enterprises are up against:

  • Employees can be almost as dangerous to a business's security as hackers and cybercriminals.
  • Phishing, malware and social engineering are the most common attack types – and three risks that run rampant among remote workers.
  • 39% of enterprises are only “somewhat confident” in their ability to accurately assess the effectiveness of phishing awareness programs.

Common remote work security threats:

  • Phishing attacks
  • Distributed denial of service
  • Remote desktop account attacks
  • Bluekeep exploits
  • Bypass of multifactor authentication

When it comes to the security implications of powering a remote workforce, you need to take a strategic approach to prevent data breaches. Running a remote workforce means that your employees need access to applications that are accessible through the network, making a VPN essential. A VPN effectively gives you an encrypted private connection from your endpoint – whether a mobile device, tablet or laptop – into a corporate network so that your resources aren’t open to the public internet.

What are the benefits of using a VPN to secure your remote workforce?

  • The first and foremost benefit of using a VPN is

    security

    . Instead of going through a public line, employees rely on a private network that creates a secure tunnel for accessing the data and application.

  • Visibility

    is also a major benefit of a VPN. If you have the VPN client for Palo Alto Networks GlobalProtect sitting on your device, for example, you can visualize network traffic, applications, ports and protocols that a user or device is accessing; in-depth visibility on device and user activity on the network.

  • Control

    is important for secure remote access. GlobalProtect allows you to conduct access control or segmentation. In other words, it’s easy to create and enforce a policy which stipulates a particular person on the marketing team, for instance, only has access to marketing-related applications.

  • Flexible deployment options

    are another positive to using a VPN. Today, there’s hardware-based VPN and software-based VPN, allowing different options for enabling VPN depending on your specific technology needs.

  • Improved access to SaaS and cloud applications

    is a critical advantage. Businesses are using cloud applications increasingly. Accessing these applications securely is essential – via open internet is simply not an option. Without encryption or a VPN, cloud application access isn’t worth the risk due to the sensitive information involved. Using a VPN, however, makes accessing cloud applications quite easy.
  • Using a VPN means your employees choose their location – you can be anywhere, connected, with no need to be physically close to the office.

    Freedom of geography

    is what allows remote employees to work from home.

  • Choice of connection mode

    means mobile workers can use Wi-Fi, 5G or a wired connection. All can enable VPN on top.

The three most common VPN approaches

There are three common approaches to VPN.

  1. Full tunnel VPN

    Full tunnel VPN is secure, but it is not scalable:

    • All traffic goes through the full network security stack
    • Requires adding additional hardware to scale capacity
    • Traffic bound for the Internet creates congestion on the data center internet link
    Diagram of full tunnel VPN
    Diagram of full tunnel VPN

    Once you establish the encrypted connection of your endpoint such as your laptop, for example, you’re connecting to a server endpoint in your corporate network. All the network traffic from that endpoint must go through the tunnel. Even if you’re working from home and you normally connect to your WiFi hotspot, which goes through your router to the corporate network – and eventually makes its way across the internet to your company – when a full tunnel VPN connection is established, even traffic to the internet must go through the tunnel to your corporate network. Then, it exits your corporate network to reach the internet, ultimately securing access to corporate resources.

  2. Split-tunnel VPN

    Split-tunnel VPN is not secure, but it is more scalable than full-tunnel VPN:

    • Internet traffic is not inspected
    • Mobile device becomes a backdoor into your corporate network
    • Scalability remains a challenge
    Diagram of split tunnel VPN
    Diagram of split tunnel VPN

    In the case of a split tunnel VPN, only traffic destined for your data center goes through the VPN. All other traffic can go around it. Direct connections to the internet, like Google for example, won’t go through the VPN channel, but connections destined for corporate resources such as an accounting application will.

  3. Cloud proxy approach

    The cloud proxy approach to VPN is neither secure nor scalable:

    • Most ports and protocols are not inspected
    • Subpar security functionality, inconsistent between users being on-premise and remote
    • Compliance tools easily bypassed by malware and power users
    • Multitenant architectures limit scalability
    Diagram of cloud proxy VPN approach
    Diagram of cloud proxy VPN approach

    In the case of a cloud proxy, the VPN server is hosted with a cloud provider rather than within your corporate network, the implications of which are one of two: you’re only accessing cloud-based services that live on the cloud or need to expose on-premises resources to the VPN. If you’re accessing cloud-based services exclusively, in AWS for example, you can stand up a VPN in AWS to protect your connection and enable access to resources running in AWS that aren’t typically exposed to the internet. If you need to enable access to on-premises resources using a cloud proxy VPN, an encrypted connection back to your premises is required to gain access to corporate resources – through the internet to the cloud provider – across a secure VPN. From the cloud provider, employees have access to corporate resources.

VPN remote workforce use cases

  • Business continuity

    When a local, national or even global disaster event takes place, your employees still need to function and complete their work. A VPN is a major part of the solution set you’ll need to ensure business continues to run.

  • Contractor access

    If you rely on contractors, they need to be able to work on your system too. A VPN makes it easy to provide them with access to your network, which you can secure by leveraging policies and VPN configurations to prevent contractor access from negatively affecting the security of your corporate network.

  • Telework

    Telework requires the ability to provide employees the necessary flexibility for working remotely in a secure fashion.

  • Mobility

    Whether at home, in a coffee shop or the office, employees are always on, always reliant on mobile devices and always in need of access to corporate resources, no matter where they’re working. A VPN establishes the secure connection necessary for enabling the mobile workforce.

How do you ensure your VPN is secure?

In theory, a VPN is secure by definition in that it’s a private network, but it still requires the proper policies and controls. A tunnel can only be established if both sides communicate with each other. Without this step, the VPN is not secure. The tunnel will only be formed if both sides communicate, essentially conveying “yes, we're here and we have built this tunnel between the two sides.

When it comes to VPN protocols, IPsec is most commonly the protocol of choice. IPsec supports several different encryption schemes, and some are more secure than others. Typically, you still must authenticate the user before they can use the VPN. Depending on the authentication means, which is usually certificate based and not username and password, you must have a prearranged trust between the endpoint and server before you can establish a VPN connection.

Encapsulating a packet for secure transportation on the network can be accomplished by means of the IPsec protocol. For example, in the case of a site-to-site VPN, a source host in a network transmits an IP packet. When that packet reaches the edge of the network it makes contact with a VPN gateway. The VPN gateway that corresponds with that network encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of the next network, the gateway of which decrypts the packet and delivers it to the destination host.

How Palo Alto Networks can help you securely power your remote workforce

A VPN is a necessity for keeping your data safe and secure when doing work online or on any public network. Palo Alto Networks offers multiple solutions that can help you power and secure your remote workforce – Prisma Access and GlobalProtect.

Prisma Access

Prisma Access™ delivers the networking and security that organizations need to secure the cloud-enabled remote workforce. Prisma Access is the ideal option when you require the ability to scale your remote workforce quickly.

Mobile users and remote branches connect to our service in the cloud, forming a VPN tunnel between the cloud and the mobile user or branch, enabling seamless and secure access to cloud, data center and SaaS apps or resources. Think of it as a cloud network between users and the corporate network that delivers all the functionality of hardware, managed by Palo Alto Networks in the cloud.

For example, if you had the need to scale to 10,000 users working from home, the process is easy. You simply need to install the same software client onto your mobile devices and connect into Prisma Access, bringing all the security capabilities of Palo Alto Networks Next-Generation firewalls, but without the need to deploy additional infrastructure. In essence, Prisma Access helps organizations secure remote workforces rapidly, no matter where they are in the world.

Additional use cases

  • Firewall as a Service
  • DNS security
  • Threat prevention
  • Cloud secure web gateway
  • Data loss prevention
  • Cloud access security broker

Further resources

Prisma Access datasheet Get the whitepaper

GlobalProtect

GlobalProtect™ network security for endpoints is the on-premises, built-in VPN solution for the Palo Alto Networks Strata network security suite. Every Palo Alto Networks Next- Generation Firewall is designed to support always-on, secure access with GlobalProtect as your mobile workforce grows.

GlobalProtect extends the prevention capabilities of the Security Operating Platform® to mobile workers, regardless of their location. By leveraging Next-Generation Firewall capabilities, GlobalProtect provides greater visibility into all traffic, users, devices, and applications. You can extend consistent security policies to all users while eliminating remote access blind spots and strengthening your security.

For instance, if you already operate the necessary firewall appliance and originally planned to enable 20% of your workforce to work remotely but had the need to scale to 100%, the process would simply require users to run the coinciding software client on their laptops, connect to that same next generation hardware appliance and they’re good to go.

Additional use cases

  • Protect your growing mobile workforce
  • Implement a zero-trust architecture
  • Enable and secure bring-your-own-device

Further resources

GlobalProtect datasheet Implement GlobalProtect

VM-Series Virtual Firewalls

VM-Series Virtual Next-Generation Firewalls provide all the capabilities of the Palo Alto Networks Next-Generation hardware firewall in a virtual machine form factor. This allows you to secure your environments using a single tool, automate network security and boost your cloud investments.

If you’re struggling to provide remote access with limited hardware, it’s possible to add more capacity by using a virtual machine-based firewall.

Additional use cases

  • Infuse segments and microsegments with threat protection
  • Leverage a single security tool with consistent control across multi-cloud environments
  • Get dynamic security provisioning and scalability for dynamic environments

Further resources

VM-series NSX solution brief FNTS case study

Palo Alto Networks is here to help you protect your mobile workforce.

We hope this guide has been beneficial to you in your search for trustworthy information on securing your remote employees by using a VPN. Palo Alto Networks is here to help with your rapid deployment needs to power and secure your remote workforce.

Learn about our current remote workforce offers

Get the latest news, invites to events, and threat alerts

Popular Resources

Legal Notices

Popular Links

Report a Vulnerability