*Update October 2023: With the acquisition of Alludo, Awingu was renamed Parallels® Secure Workspace. The described functions and advantages in security and flexibility remain unchanged. With the new name, Awingu as Parallels Secure Workspace® is now a fully-fledged member of the Parallels family, alongside Parallels® Desktop, Parallels® RAS, Parallels® Toolbox and Parallels® Access.

This quote is freely translated from a statement in a blog post by Matthew Sullivan (original quote: Friends don't let friends use VPNs). In this blog post here, we will discuss why traditional VPN (Virtual Private Network) solutions are no longer "good enough" for organizations to enable remote work and telecommuting. In the last third of the post, we will introduce Awingu's solution – an alternative to the classic VPN approach.

For the sake of clarity, when we talk about VPN, we are explicitly not talking about P2P-managed VPN connections for bridging two locations or commercial VPN services (which are assumed to provide a more private and secure browsing experience).

VPN – Virtual Private Network – dates back to the 1990s. In 1996, Microsoft employee Gurdeep Singh-Pall "invented" the PPTP (Point-to-Point Tunneling Protocol). It offered a method for implementing virtual private networks and a secure Internet connection. In 1996, the world had 36 million Internet users (source). Two thirds of them were based in the USA. There were an astonishing 100,000 websites, Netscape was the browser of choice, and at 33.8 Kbps, users could surf the Internet at the speed of light. VPN was the tool of choice at the time. Of course, times have changed.

Your Content Goes Here

Once you're in, you're really "in"

According to an IDC analysis , more than 40% of security breaches come from authorized users, such as contractors, vendors and employees. The problem? VPNs don't usually offer granular controls. But they are necessary for assigning users with specific rights. Once a remote user is authenticated by a VPN, that user is considered trusted and is granted access to everything on the corporate network. This makes the corporate network and its resources quite vulnerable and open to attacks or data leaks.

VPN user access management is not only linked to the Active Directory (AD), but also to the device certificates. This means that when an employee leaves the company, their device certificate must be revoked – and like all manual tasks, this is unfortunately often forgotten.

The need to always use the latest version

VPN platforms are popular. Also with hackers. No platform can benefit from absolute security, and this is certainly true for VPN providers. In the past year alone, many of the most popular and widely used VPN platforms have been breached at their core – at the endpoint. In some cases, it took weeks for the manufacturers to provide a security patch that closed the gap. Below is just a small list of the most recent vulnerabilities:

• Palo Alto: CVE-2021-3051 Cortex XSOAR: Authentication Bypass in SAML Authentication in relation to CVE-2021-3051
• FortiGuard: FortiPortal – Authentication bypass and remote code execution as root in relation to CVE-2021-32588
• Pulse Secure: SA44784 – 2021-04: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4 related to CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900
• Citrix: CTX307794 related to CVE-2021-22907

The message is clear. Especially when you consider that it's easy to tell which VPN technology is being used by whom: always run the latest version, always apply all security patches, and do so immediately. By the way, this should be standard practice for any software solution these days.

Login (only) with password

Multi-factor authentication is the absolute minimum that users should use for authentication with VPN. Unfortunately, it is still not standard in many organizations (!) It's like leaving the door to your own house wide open. Many user passwords have already been hacked and are collected in databases on the dark web (easy to find even for laymen). What's more, by simply using "123456" as a password, hackers already have an amazing chance of getting in. By the way: According to NordPass, the most common passwords in 2020 were the following:

• 123456
• 123456789
• 12345678
• password
• 1234567
• 123123
• 1234567890
• 111111
• abc123
• 00000

Another delicacy for all those who live in the German Ruhr area: "schalke" makes it to 95th place. Unfortunately, the passwords are no longer at Bundesliga level, but at least they are in the top 100

No wonder a Microsoft study found that using MFA blocks account takeover attacks 99.9% of the time.

Conclusion: Use MFA. Always. This is an absolute minimum.

Compromised devices

End users must activate the VPN connection via a VPN client on their device – usually a laptop. Once the connection between the device and the corporate network is established, the gates to Valhalla are usually open. Even if this authentication is done with additional security such as MFA. This means that if the device on which the VPN client is running is infected with malware, opening a VPN connection can also lead to the malware finding its way into your company network. In other words, anything you can do on the device, the attacker can do too. Every resource in the company network that you can reach via the VPN can also be reached by the attacker.

That's why you only want to enable VPN on devices that are owned and managed by the company. The IT department must have optimal control over the device and be sure that it is running the latest operating system version and patches, has an active anti-malware service, can be reset remotely in case of doubt, etc. For precisely these reasons, VPN should only be permitted on devices that are privately owned by employees in absolutely exceptional cases for security reasons.

Flexibility and UX of VPN

You can use VPN to extend your company network to another device that is located in a private home network, for example. The device basically behaves as if it were running in the LAN. This has several consequences:

Users can generally use all local software and files that run on the device itself.

When assets are accessed on the corporate network, they are fully downloaded (or uploaded); for example, if work is being done on a database file on a shared drive, the file is constantly being downloaded and uploaded

By using split tunneling, traffic (such as YouTube and social media) can be routed via the public internet access instead of the VPN. However, this obviously comes with other security risks. The alternative is to route all traffic through the corporate VPN, which can be a drain on VPN capacity.

Conclusion: VPN offers users (if they have a managed laptop) their familiar office experience. However, this comes at the expense of capacity.

Each device

For security reasons, it is therefore advisable to only activate VPN on devices that you fully manage. However, most corporate VPN clients are not available on all devices and operating systems (e.g. MacOS devices, Chromebooks, Raspberry Pi, Android tablets, …). This limits your degree of freedom and that of your users.

Capacity

As described above, VPN platforms usually need to absorb a large download and upload capacity. These platforms are rarely scaled to allow 100% of users to work remotely at the same time. As a result, capacity and associated performance issues are a common challenge.

Awingu is a browser-based unified workspace. It provides RDP-based applications and desktops in HTML5 on any browser. It also aggregates file servers, intranets, web applications, SaaS, … together behind a single pane of glass with single sign-on. Take a look at the architecture and the functions from Awingu to find out more.

The basic safety layers are already installed

Awingu provides its users with a minimum level of IT security for its users. It is generally used in conjunction with an RDS (terminal server) and RDP access. The following list is intended to provide an overview of the security levels that Awingu enables in addition to the usual RDP/RDS scenario.

• • • Multi-factor authentication

Awingu comes with an integrated MFA solution and can easily integrate your current authentication method (if required). By adding MFA, you minimize the risk of brute force attacks. The MFA integrated in Awingu supports the use of one-time tokens (HOTP) and time-based tokens (TOTP). Awingu also integrates DUO Security, Azure MFA, SMS passcode or Radius-based services.

• • • Encryption via HTTPS

Between the end user (browser) and the Awingu virtual appliance, Awingu favors and enables encryption via HTTPS. It also allows the use of own SSL certificates (or SSL proxy). In addition, Awingu has a built-in integration with Let's Encrypt, which automatically generates a unique SSL certificate and takes care of its renewal.

• • • Port 443 only

When set up correctly, Awingu only requires port 443 to be available to end-user clients.

• • • Comprehensive usage control

Awingu comes with an extensive usage log. The usage audit tracks which application sessions users open (or close) and when and where (from which IP address) they do so. It also tracks which files are opened, deleted, shared, etc. The audit log is available via the Awingu dashboard (Admin) and custom reports can be extracted.

• • • Detection of anomalies

Find out about irregularities in your environment, such as someone logging in too often with an incorrect password or someone trying to log in from abroad. This information is available via the Awingu dashboard (Admin only).

• • • RDP via HTML

RDP is known to have numerous exploits. Especially when running older and unpatched versions. HTML minimizes the "threat vector" specific to RDP (e.g. Bluekeep, NotPetya).

• • • Granular usage controls

Specific rights can be assigned for each user (group); e.g. preventing the use of the virtual printer (i.e. no printing at home), preventing the downloading (or uploading) of files to and from the local desktop, preventing the sharing of Awingu application sessions, preventing the sharing of Awingu files, etc.

• • • Recording of the session

Awingu can activate the automatic recording of certain applications or users (note: excluded for Awingu reverse proxy sessions). The end user receives a message about the recording before starting their Awingu application/desktop and must "accept" it.

• • • No local data

All applications, files, hosted desktops etc. run in the browser in HTML5. There is no footprint on the device (cf. granular usage controls). Only screen content is transferred.

Awingu – unbeatable user experience

With Awingu, users can take any device, including their own personal device, and get their work done. It can be a Windows 7 device, a MacBook or a tablet. Awingu enables modern remote working – simply and securely.

Can be used on any device with an HTML5 browser

(1) Awingu in 1 minute (German) – YouTube

Feel free to contact us. As a Certified Awingu Partner, we offer you the opportunity to test Awingu in your own infrastructure for several weeks with our attractive proof-of-concept package. You then decide whether the solution makes sense for you.

This blog article is a slight adaptation of the blog post by Arnaud Marliere, Chief Marketing Officer at Awingu (to the original).