Duo Network Gateway – Secure Remote Access Internationally Without Specialist Hardware
More employees are working remotely and using various types of devices, yet they still require access to applications located on-premises and in the cloud. This puts increasing pressure on IT resources and could present security challenges.
The Security Challenge of VPNs
Virtual private networks (VPNs) are a tried and true method for providing remote access to internal applications. Essentially, they create a private, encrypted tunnel for an off-site user to connect to applications in a corporate data center. But VPNs aren’t a silver bullet – organizations that provide users with just a username and password to log into their VPN connections could be exposed to data breaches if those credentials are stolen. Perimeter security can be vulnerable to a variety of different attack vectors like credential theft, that could allow a bad actor to gain access to the network over the VPN and move laterally at will, and several previous data breaches such as British Airways pay testament to this.
Protecting your VPN access with multi-factor authentication (MFA) adds an additional layer of defense. Whilst companies operate VPNs to provide secure remote access for employees, the perimeter model of trusted users on the inside and untrusted users on the outside has become outdated in the modern business environment. Working with or without VPNs, the perimeter must be secured.
A Zero-Trust Framework Is More Secure
This is just one of the reasons why a ‘Zero Trust’ approach to security has taken the industry by storm. Zero Trust is not a technology, but a set of principles that come together to build a better security model. In simple terms, Zero Trust designates that no trust is inherent, it is only gained through strict verification and access is controlled via least privilege role-based policies, that only allow a user access to the resources required to perform their job function. Security and trust are maintained by continuous verification, re-evaluating user and endpoint every time an access decision needs to be made.
With corporate assets no longer just residing inside the corporate firewall, possibly operating in a hybrid infrastructure consisting of on-premise and multi-cloud environments, adopting a Zero Trust strategy is seen as the current best model to provide security for how modern businesses operate.
Embarking on a Zero Trust strategy can seem complex on the face of it, particularly while also trying to ensure that you are providing a flexible, secure and consistent experience for your end users.
However, there is a simple way to kickstart your Zero Trust strategy with minimal impact to your current architecture and end users. Enter the Duo Network Gateway (DNG) …
How to Install the Duo Network Gateway (DNG)
The Duo Network Gateway (DNG) is a reverse proxy that allows your users to securely access your on-premises websites, web applications, and SSH servers using any browser, from anywhere in the world without having to install, configure remote access software on their device or worry about managing VPN credentials, while also adding login security with the Duo Prompt. Users can also remotely SSH to configured hosts through the DNG after installing Duo’s connectivity tool, providing server access without VPN.
Step 1: Installation of the Duo DNG
The DNG software is downloaded via a YML file onto a new or existing Linux server with Docker installed and can be installed on-premise into the company DMZ or in AWS, making the deployment process very fast.
Duo publicly publishes detailed installation guides with step-by-step instructions and videos to demonstrate the process of deploying DNG making it very simple for companies to get up and running very quickly. A typical installation into an appropriately prepared environment would take no more than 30 minutes. Full details can be found at https://duo.com/docs/dng
Step 2: Adding Web Applications
Once the DNG is deployed, you can go ahead and start adding your web applications that you want protected for your users to access remotely. There are two simple steps to complete before adding an application, 1. Create or update the public DNS record of your application. 2. Obtain an SSL certificate for your application using the fully qualified external DNS name of your application as the common name.
Next access the administration panel on the DNG and select Applications and Add New. Follow the configuration steps from the Duo Website to protect your first application. https://duo.com/docs/dng#protect-a-web-application-with-duo-network-gateway-
Step 3: Add SSH Server
Before adding an SSH server for protection, you will need to complete the same first two simple steps as adding a web application. Once completed, again follow the steps from the Duo website to protect your first SSH server. https://duo.com/docs/dng#protect-ssh-servers-in-duo-network-gateway
Install and configure the DuoConnect client on the user’s endpoint to autodetect SSH session initiations to the configured SSH servers and you’re good to go. https://duo.com/docs/dng#install-&-configure-duoconnect-client-
Adding new applications or SSH servers should take no more than 20 minutes each, demonstrating how quickly you can protect your internal web applications and SSH servers without the need to use a VPN.
Partnering the Duo Network Gateway with the Duo Access Gateway for SSO and Cloud Application protection, provides a complete coverage for the modern Enterprise, securing any application located anywhere from any device, but that’s another blog.
Download 5 Reasons to Protect Your VPN With MFA now and you’ll also learn how Duo’s MFA solution provides secure remote access to internal corporate applications using Cisco’s AnyConnect VPN on Adaptive Security Appliance (ASA) or FirePower Threat Defense (FTD).