Remote users can present additional security risks as they need to make use of the potentially unsecured internet or unsecured devices to access company resources.

For organizations with a remote workforce, Lumu has the option to implement the Continuous Compromise Assessment concept to not only corporate networks, but for remote workers using VPN (Virtual Private Network) or SDP (Software Defined Perimeter) technologies as well. If you want more context on Lumu Deployment scenarios, consult our documentation.

This document describes the general procedure for integrating Lumu with remote users, allowing companies to be aware of remote compromises.

1. Administrative access rights on your VPN / SDP manager.
   

VPN/SDP Architecture and Lumu

Enterprises can incorporate remote workers into their network of defenses by using VPN/SDP Gateways. These are devices or software which are developed for extending LAN Networks to the Internet (in most cases) through a safe and private channel.

The VPN/SDP can be configured in two ways, full tunnel or split tunnel, and Lumu can assess compromises on both configurations.

Full Tunnel and Lumu

On this configuration, once users connect to the VPN/SDP, all their traffic (internal and Internet) is routed through the VPN/SDP channel. This allows the company’s network-systems to process all its users’ connections. Some companies use this architecture, despite its bandwidth cost, in order to have more control over traffic, regardless of where the service is hosted.

Figure 1 - VPN/SDP full tunnel configuration.

The following diagram shows the client’s workstation set up with Lumu DNS addresses. When a request to resolve a hostname on the internet is made from this workstation, Lumu processes DNS requests using its patent-pending illumination process to identify if this device is “talking” with adversarial infrastructure.

Figure 2 - Lumu + VPN/SDP full tunnel configuration.

Set up the DNS on Workstations

The procedure to set up DNS can be different depending on the VPN/SDP provider, for some SDP providers, this may require the company to perform that configuration inside the Identity Provider. For authoritative information, please consult the vendor documentation.

The following image shows an example of Lumu DNS servers set as default on a client's workstation when connected to the VPN/SDP:

Figure 3 - Workstation set to use Lumu DNS IP's.

The main difference between a split tunnel and a full tunnel configuration is that in a split tunnel just the internal traffic is routed through the VPN/SDP Gateway; all external connections are sent directly to the Internet. This allows the organizations to save bandwidth but implies a higher risk because of the lack of security controls in the user’s remote environment.

Figure 4 - VPN/SDP split tunnel configuration.

 

If the company uses split tunnel configuration, obtaining visibility into compromises in the remote user’s network through Lumu requires two steps: set up the DNS on workstations and add static routes over the SSL tunnel as well.

The following diagram shows that when using split tunnel configuration all external traffic is routed directly through the Internet channel (out of the tunnel):

Figure 5 - Lumu + VPN/SDP split tunnel configuration.

Add Static Routes

For sending DNS queries via the internal traffic, the company should add Lumu DNS servers’ or Lumu Virtual Appliances’ IP addresses as static routes.

The procedure to add static routes can be different depending on the VPN/SDP provider, we recommend following the instructions from your vendor documentation or consult your network administrator.

The following examples show the general structure for adding static routes via command line:

This image shows an example of a routing table that was configured to use Lumu DNS IPs for sending queries through the VPN security tunnel:

Figure 6 - Route table configuration.