Cisco Portugal Blog

Security Tip of the Month: What to do after VPN?

May 29, 2020

Recently we have seen a substantial change in our lives, the spread of coronavirus all around the world is having a huge impact on people and enterprises. This means that sending everybody to work from home has required IT professionals to change their focus from other projects, to provide remote access so people don’t stop working and to keep the business going on. Some companies suddenly had to grow their VPN environments from 5k users to 100k users and some other didn’t even have any VPN solution in place, but had to provide one.

One of the thoughts that comes to my mind is that when companies need to provision urgent networking infrastructure, sometimes multiplying the current one by several multiple times, the last question they ask their selves is “What about Security?”. The priority often is to grow connectivity and not to be seen as the business bottleneck. It seems like this sent us back to some decades ago when networking was the protagonist and IT Security was just secondary or nonexistent.

After this turbulence we need to bring attention back to Security, because the lack of it can also be the cause for outages, data leaking or reputation losses. When we face this new challenge with several personal networks connected to our Datacenters and Applications, we need to address as much as possible the risks putting in place security controls or countermeasures to mitigate those threats and to act with due diligence.

For this purpose we must understand what are the threats we are facing. Do you know which are the most common threats on companies networks?

According to Cisco Cybersecurity 2020 Report for SMB, they are Ransomware, Stolen Credentials and Phishing and next we are going to explain how to have Control and Visibility over this threats for remote users.



Ransomwares are well known malwares that encrypt the victims’ files and require the victims to pay a ramson in order to restore access to data. What many people don’t know is that some of them use a communication channel based on DNS and also DNS queries to solve the IP addresses of their infrastructure. If you put in place a DNS Security solution, it will prevent these communications so the malware will never be able to exchange encryption keys and encrypt user data and also block suspicious DNS queries, all of these can be achieved with Cisco Umbrella.

Other perspective for malware blocking, is an endpoint protection platform like Cisco AMP that can prevent systems from running known pieces of malware and even zero day threats, leveraging the use of ThreatGrid sandbox system.

Stolen Credentials are sometimes inevitable from the IT Team perspective, as you cannot control every aspect of the user behavior, but what we can do is to make our systems require a second authentication factor which is in turn not easy to steal. This can be accomplished with Cisco DUO, you can require multi factor authentication not only for the VPN itself, but for the applications that users have direct access via internet.

Finally, Phishing is one very common method that attackers use to convince a victim to click a malicious link, which can lead to the installation of malware. Cisco Umbrella can stop this type of attacks by blocking suspicious DNS domains used by Phishing attacks. Once a malicious domain is first detected anywhere worldwide by Umbrella, it can be blocked everywhere.



Although the solutions mentioned here offer some level of visibility, we are going to explore here one that has way too deeper visibility on remote endpoints, which is called CESA – Cisco Endpoint Security Analytics.

CESA leverages AnyConnect and Splunk to deliver visibility of remote VPN workers for: application and processes running on devices, unusual application behavior, C&C detection, SaaS use behavior, data hoarding and exfiltration, device type and OS inventory, threat hunting and others. For companies that have a performance concern on the VPNs, it helps figuring out what traffic can safely be put in the split-tunnel VPN policy, doing traffic engineering, reducing VPN load  to datacenter and to further monitor this traffic.

Cisco recently announced free licenses for Umbrella, DUO and AnyConnect until July 1, to provide support to our customers during Covid-19 crisis, also CESA has a free 90-day license. You can find more info here.


So, if you need to take the first steps on securing your remote worker, these are some of the best paths to take, even though they are not the only options, they are certainly very easy and quick to deploy whilst you can leverage the use of existing AnyConnect and its integrations with Umbrella, AMP and DUO. Cisco also has a big team of Subject Matter Specialists that will be glad to help you design and deploy these and many other solutions to keep your business ahead of the curve! Reach out for more information.