VPN and SDP Configuration for Lumu

VPN and SDP Configuration

Remote users can present additional security risks as they need to make use of the potentially unsecured internet or unsecured devices to access company resources.

For organizations with a remote workforce, Lumu has the option to implement the Continuous Compromise Assessment concept to not only corporate networks, but for remote workers using VPN (Virtual Private Network) or SDP (Software Defined Perimeter) technologies as well. If you want more context on Lumu Deployment scenarios, consult our documentation.

This document describes the general procedure for integrating Lumu with remote users, allowing companies to be aware of remote compromises.

Requirements

  1. Administrative access rights on your VPN / SDP manager.

VPN/SDP Architecture and Lumu

Enterprises can incorporate remote workers into their network of defenses by using VPN/SDP Gateways. These are devices or software which are developed for extending LAN Networks to the Internet (in most cases) through a safe and private channel.

The VPN/SDP can be configured in two ways, full tunnel or split tunnel, and Lumu can assess compromises on both configurations.

Full Tunnel and Lumu

On this configuration, once users connect to the VPN/SDP, all their traffic (internal and Internet) is routed through the VPN/SDP channel. This allows the company’s network-systems to process all its users’ connections. Some companies use this architecture, despite its bandwidth cost, in order to have more control over traffic, regardless of where the service is hosted.

Figure 1 - VPN/SDP full tunnel configuration.

In the full tunnel configuration, to integrate Lumu with the remote end-users, it is necessary to add Lumu DNS Servers' (or Lumu Virtual Appliances') IP addresses as default DNS servers.

The following diagram shows the client’s workstation set up with Lumu DNS addresses. When a request to resolve a hostname on the internet is made from this workstation, Lumu processes DNS requests using its patent-pending illumination process to identify if this device is “talking” with adversarial infrastructure.

Figure 2 - Lumu + VPN/SDP full tunnel configuration.

Set up the DNS on Workstations

When using the full tunnel VPN/SDP configuration, the Lumu DNS servers’ or Lumu Virtual Appliances’ IP addresses should be set as default DNS servers using the vendor's VPN/SDP administrator tool implemented by the company.
The procedure to set up DNS can be different depending on the VPN/SDP provider, for some SDP providers, this may require the company to perform that configuration inside the Identity Provider. For authoritative information, please consult the vendor documentation.
The following image shows an example of Lumu DNS servers set as default on a client's workstation when connected to the VPN/SDP:
Workstation set to use Lumu DNS IP'sFigure 3 - Workstation set to use Lumu DNS IP's.

Split Tunnel and Lumu

The main difference between a split tunnel and a full tunnel configuration is that in a split tunnel just the internal traffic is routed through the VPN/SDP Gateway; all external connections are sent directly to the Internet. This allows the organizations to save bandwidth but implies a higher risk because of the lack of security controls in the user’s remote environment.

Figure 4 - VPN/SDP split tunnel configuration.
 

If the company uses split tunnel configuration, obtaining visibility into compromises in the remote user’s network through Lumu requires two steps: set up the DNS on workstations and add static routes over the SSL tunnel as well.

The following diagram shows that when using split tunnel configuration all external traffic is routed directly through the Internet channel (out of the tunnel):

Figure 5 - Lumu + VPN/SDP split tunnel configuration.

Add Static Routes

For sending DNS queries via the internal traffic, the company should add Lumu DNS servers’ or Lumu Virtual Appliances’ IP addresses as static routes.

The procedure to add static routes can be different depending on the VPN/SDP provider, we recommend following the instructions from your vendor documentation or consult your network administrator.

The following examples show the general structure for adding static routes via command line:

route 50.17.0.10 mask 255.255.255.255 gateway IPADDRESS_VPN_Gateway
route 3.87.85.24 mask 255.255.255.255 gateway IPADDRESS_VPN_Gateway

This image shows an example of a routing table that was configured to use Lumu DNS IPs for sending queries through the VPN security tunnel:

Route table configurationFigure 6 - Route table configuration.
        • Related Articles

        • Lumu Log Forwarder FortiGate Configuration

          In scenarios where all your FortiGate deployment logs are centralized within a FortiAnalyzer, you can use it to accelerate the deployment of Lumu and forward all firewall logs at once using the FortiAnalyzer data collection capabilities from Lumu. ...
        • Validate your DNS Settings

          After you have configured your DNS traffic to be routed through Lumu, check that your DNS connections are working as expected. Please note that this procedure will only produce valid results when setting up Lumu Gateways. When you make changes to DNS ...
        • Configure DNS in Windows 10

          Setting up DNS forwarding on a Windows 10 device is the configuration suggested for testing purposes. We recommend you configure your DNS server or your router to take the most advantage of Lumu Continuous Compromise Assessment on your entire ...
        • Configure DNS in a Router

          Setting up the DNS on a router device is recommended for enterprises where all the traffic is directed to the internet through a router device. You also have the option to configure your DNS server (if available) to take the most advantage of Lumu ...
        • Point your DNS to Lumu

          To start taking advantage of Lumu Gateways, you need to configure your DNS resolver device to point all DNS requests to Lumu's IP addresses, substituting the automatic DNS servers provided by your internet service provider (ISP). Once you have ...