Using Client VPN with Your Firewall for WFH: a Setup for Disaster?


It’s now been more than a year since many employees were first forced to work from home. With less than a week to prepare in some cases, very few business and employees were ready to make this shift. IT departments in particular were hard hit, as most had insufficient VPN licenses and/or horsepower to sustain that many client VPN connections. Employees weren’t ready, either, as many found work at the dining-room table necessitated weekly chiropractor visits after a few months. It hasn’t been easy for anyone!

But now that employees are properly set up with a decent desk, a good chair and a new daily routine, many are loving it. No more driving in traffic, no need to dress up, no need to pack a lunch … plus all the financial advantages that come with remote work, like less money spent on gas and vehicle maintenance and, in some cases, even a tax deduction.

Businesses are seeing the benefits, too. Many are finding they can cut their office space by half, if not more. There’s now no need for a satellite office just to accommodate 2-3 people, when those employees can work from home. And if the best candidate for a position is a six-hour drive away, who cares!

Many business owners have already decided work-from-home is here to stay — and in some industries, those who resist this change will find that candidates demand it. (I personally declined a job offer with a salary jump in the five figures. No way am I going back to an office!)

The Problem with Keeping Ad-Hoc Setups

Imagine you have 100 employees reporting to work in your office. Each day, they show up fully masked and follow all recommended COVID-19 protocols for distancing, handwashing, etc. But each night, they go to concerts, busy restaurants, packed bars or other large gatherings, all without masking or distancing. Then they come back to the office, and the cycle repeats itself again, and again, and again. How safe is your office, really? Even with safeguards in place, it would only be a matter of time before everyone in the office was exposed to the illness.

Relying on client VPN with your firewall creates a similar situation. The office is safe. You have a well-known, business-grade next-generation firewall with all the latest tech to block ransomware and other threats.

But what sort of firewall is there at home? Is there any security at all? Many employees use the ISP router with its default Wi-Fi password. This router is also connected to the rest of the devices in the home, including those of teenagers whose goals in life sometimes seem to be clicking on everything they possibly can on social media platforms AND consuming hundreds of gigabytes per month (or per day) worth of torrent.

You have 100 employee laptops, going home every night to different unsecured and potentially infected networks. Then, the next day, they connect to the office. The cycle repeats, week in and week out. To me, it’s a terrific plan to bring some bad stuff in your corporate network.

Some will say, “Yeah, but I have a good antivirus on the corporate laptop!” Sorry to call it out like that, but you’re living in denial. If all you need is antivirus on laptops, then why did you purchase a next-generation firewall, a SIEM, 2FA capabilities, email security, etc.?

How Do You Prevent Cyberattacks? Much the Same Way You Prevent COVID-19.

The best way to prevent COVID-19 infections is to stay home with your family: No restaurants, no bars, no airports. The solution for corporate laptops is exactly the same. The device stays in the office, all the time. No coffee shops, no airports, no home networks — it never leaves the employee’s desk.

But with many jobs requiring after-hours connectivity, and many employees still choosing (or being required) to work from home part-time, this isn’t realistic in many cases.

In these cases, client VPN can bridge the security gap — but not when connected to a firewall. For optimum security and usability, the VPN should be routed through an advanced VPN solution such as SonicWall’s Secure Mobile Access (SMA) solution.

SonicWall SMA Series has advanced client VPN features that allow employees to work from home while virtually keeping the laptop in the office all the time. SMA achieves this by combining two features:

  • Tunnel all VPN: This feature forces all your laptop network traffic to the head office through the VPN, cutting off access to the local network. Which is exactly what we want, as the local network can be anywhere the employee does work, including a coffee shop or an unsecured home network. By using “tunnel all,” the device is isolated from any unknown and untrusted network. It also means the laptop is, networking-wise, sitting in the office as all its traffic (access to local corporate servers, Facebook, Office 365, YouTube) is going through the VPN and out from your corporate firewall — complete with all inspections and controls just as though it were physically sitting in the office.
  • Always-on VPN: This key feature of SonicWall SMA isn’t available on firewalls. Always-on VPN forces the VPN client to connect automatically, as soon as any network access is found — even before you’ve unlocked your machine. This means that GPO and login script will work. Another advantage of always on VPN is that employees cannot disconnect the VPN: They’re locked in.

Used together, tunnel all VPN and always-on VPN ensure your corporate laptops are always safe and secured by keeping them (virtually) from ever leaving the office. In other words, a laptop can be anywhere physically, but as far as the corporate network is concerned, it cannot be anywhere other than on the secured corporate network. And when the laptop is physically in the office, a feature known as “Safe Network Detection” will detect the laptop on premises and will stop routing network access through the VPN.

Doing remote work with your firewall’s client VPN allows all your employees to gather bad stuff from untrusted and unsecured networks and bring these threats into the office through the VPN client. But with the SonicWall SMA Series, your corporate devices are always following government health guidelines — they stay in the office at all times, no exceptions. Regardless of where they are physically, there is only one network they have access to: the corporate network, which includes all the proven security mechanisms you’ve put in place to protect your corporate perimeter. Your employees get the flexibility they want, and you get the peace of mind you need.


SonicWall Staff