July 2, 2018

Tunneling to secure connectivity

Roman Kleiner

Existing Infrastructural Investment

We previously explored protection for branch networking including unmanaged devices such as BYOD. We also zoomed in on Forcepoint’s i500 appliance which combines performance with strong protection powered by Cloud infrastructure.

There are, however, situations where this solution is also not ideal, and to understand these we need to step into the exciting world of IT budgets and network topologies. A big part of the drive to Cloud comes from the organizational necessity to reduce operational costs and slash management overhead. This applies to productivity tools such as Office 365, and to security infrastructure such as Secure Web Gateways (SWG). As IT admins move away from high cost MPLS lines to local Internet breakouts, they look for ways to keep the same levels of protection without requiring much hardware.

The i500 makes a big step in that direction, but it does not quite go all the way since we still need to deploy an appliance, albeit a small one. For some organizations it is not good enough, as they either have too many sites, and/or a shortage of staff to manage an additional type of appliance.

This raises yet another business problem: can one protect branch offices without requiring endpoint software installation, and without requiring any new hardware or virtual appliances?

The answer to that is still, unsurprisingly, a ‘yes,’ and it comes in the form of site-to-site VPN. While the security perimeter quickly recedes into the distance, most branch offices would still have some form of networking equipment, be it a router or a firewall. These devices are capable of automatically wrapping outbound traffic and forwarding it to a Cloud proxy infrastructure, which would perform its usual magic to keep the office safe from Web-based threats and data exfiltration.

Before and After

Here are a couple of diagrams to show how one would migrate to a VPN solution.


Figure 1 – On-premises Secure Web Gateway with MPLS connectivity from the branch office


Figure 2 – Local Internet breakout with VPN-assisted Cloud Secure Web Gateway

As you can see, in Figure 2, we have direct breakout to the Internet, which is seamlessly secured via a VPN tunnel to the Cloud Security provider. No new hardware is to be found, and both the MPLS connectivity from the branch to HW and the local web gateway in the HQ are gone.

Hybrid Environments

While we’re on the subject of network topologies and migration, it’s worth touching upon enterprise needs and Hybrid deployments. The move from Figure 1 to Figure 2 above makes sense in most situations, however some enterprises might still wish to retain some on-premises capabilities in their headquarters, even as their branch offices are filtered exclusively via Cloud and VPN tunnels.

The resulting deployment would look like this:

Figure 3 – Hybrid Web Security with VPN-assisted branch office protection

An organization that already invested in an on-premises gateway could use this model to remove MPLS costs, while still retaining the original investment. Or, this could be a natural migration step towards a Cloud-only model. Lastly, IT departments that have strong reasons to own and manage their reporting or configuration data for compliance reasons could also choose this path, even in the long term.

Note that the branch office continues to get exactly the same benefits as in Figure 2.

Flavors of Tunneling

VPN tunneling is a highly technical subject that merits (and has) its own blogs and books. We won’t endeavor to go deep on this topic here, however we should mention that there are two alternative protocols that power VPN: GRE and IPSec.

Both have their pros and cons. IPSec is more versatile, and secure. It is supported by routers and firewalls, while GRE is supported mostly by routers. In addition to PSK (pre-shared keys), IPSec supports certificate-based authentication, which in turn enables tunnels behind ISPs with dynamic IPs. GRE tends to require static IPs for authentication.

However, versatility comes at the cost of complexity, and IPSec tends to be harder to set up. Forcepoint has been successfully deploying large organizations via IPSec and launched Limited Availability of GRE.  

Bringing It All Together: Pros and Cons

So, here it is, seamless protection with no additional hardware. To wrap it all up, let’s put the solutions we’ve discussed side by side: Direct Connect Endpoint, i500 and VPN.

Each organization has its unique needs, and a diligent security vendor needs to provide a wide selection of tools to select from. Forcepoint is leading the charge in providing industry-grade Cloud protection without compromising on its customers’ specific needs.

Check out this case study to see how Huisman protects endpoints with Direct Connect technology using Forcepoint Web Security and Forcepoint Email Security products.

Roman Kleiner

Roman Kleiner was with Forcepoint until August of 2018, with a focus on the Secure Web Gateway portfolio. Previously to that, Roman held technical leadership and management roles within InfoSec in Symbian (later acquired by Nokia), and Finjan (later acquired by Trustwave). Roman holds a Masters...

Read more articles by Roman Kleiner

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.