Welcome to The Springboard, where we take ideas to the deep end! In this video series, subject matter experts from the Auvik team share their thoughts and break down complex tech topics in an easy-to-understand way. If you subscribe here, you’ll get access to the full library and be alerted for every new episode.

You won’t get access to The Springboard anywhere else! Sign up now so you don’t miss out.

In this episode of The Springboard, we’re “boring in” on a topic you might be familiar with: VPN Split Tunneling. Auvik Sales Engineer Lawrence Popa delves into optional ways to route traffic through VPNs, which help keep your data secure. Lawrence also uncovers the advantages of being able to choose different levels of security for your network traffic.

Lawrence [00:00:07] Welcome to the springboard where we take ideas to the deep end. I’m Laurence, a sales engineer here at Auvik. And today we’re talking about VPN split tunneling. Is VPN split tunneling for you? Let’s dive in. So what is VPN split tunneling? It’s a pretty simple concept. A VPN is a tunnel or hidden connection between your computer and the device or network it’s trying to talk to across the internet. It takes all of your data packets, encrypts them, then wraps that up in a new header before being sent along to the VPN host. But as we all know, not all the stuff we do on work computers is either destined for the work network or sensitive enough to require that extra level of security. So what if you could send that top-secret stuff along the VPN, but the regular traffic could make its way out on the regular information superhighway. That’s VPN split tunneling. Normally a VPN is all or nothing. But with split tunneling, you’ve got choices. Only the specific traffic sources you choose will be routed through your VPN connection. Besides the basic method I described just now, there are three general alternatives to split tunneling. There’s inverse split tunneling: it’s like the opposite of what I just explained. Every data source except the ones you identify are sent through the VPN. Then you have dynamic split tunneling. While traditional split tunneling relies on access control lists that you set up to decide what’s included or not in the tunnel, dynamic split tunneling uses a DNS protocol to enhance what’s included or not. And finally, there’s dual-stack networking, which is basically unintended split tunneling. It’s less an alternative and more of a “beware of getting into this” type of situation. If you’re running VPN with access to both IPv4 and IPv6. It’s common that your IPv6 data will be going out unencrypted. So, protip! Make sure your VPN supports both. So what’s so great about VPN split tunneling? It represents the best of both worlds: the speed and performance of an unencrypted link, but the data security, when and where you need it. Just like a regular tunnel, if you try to fill it with traffic, it’s going to slow down. It takes time to encrypt, repackage, send, receive, decrypt, and then forward on each little bit of traffic across the network. Add to that your web browsing, your online banking, a video conference, or even streaming a movie after work. And that’s a lot of data and a lot of detours for packets that are ultimately destined for the public web anyway. Not to mention your network management and security software is going to track it in and back out. Split tunneling saves your corporate infrastructure all that congestion by sending public and local traffic on its merry way. It can’t all be roses, though, right? Depending on your job, it’s not. For example, security. Because very few end users have the same level of security infrastructure on their home networks, or if they’re working through public Wi-Fi. the risks of snooping, malware, and various other threats are large. By forcing all of that device’s traffic through the corporate infrastructure, it essentially puts that network behind the corporate perimeter, which is a lot safer. Rule of thumb: security folks like to be safe. The added strain of VPN for all data is usually a performance hit they’re willing to take. So, is split tunneling for you? The decision to start splitting your VPN traffic really comes down to two factors: risk tolerance and security tools. If you have excellent endpoint security or are using a cloud-based web proxy to an internet-based security service, split tunneling is almost as secure as being physically inside the corporate network. When making your decision, I’d encourage you to look for reasons to enable split VPN, rather than looking for reasons not to. And now, next time you’re asked about VPN split tunneling, you’ll know. If you want to learn more about this and other networking topics from myself, and other Auvik experts, check out our resources page. I’m Laurence Popa for The Springboard. Thanks for taking the plunge with us.

Steve [00:00:06] Welcome to The Springboard, where we take ideas to the deep end. I am Steve, Product Strategy Director here at Auvik, and today we’re talking about zero trust. The term zero trust gets thrown around quite a bit. But today we’re going to break through the marketing hype and talk about what zero trust is, what it isn’t, and why you should pay attention to it. Let’s dive right in first. What does it actually mean? Does it actually mean trust no one? Like zero trust anywhere? Well, not quite. At its heart, zero trust is a concept that no device and no individual can be trusted without verification. And verification can come at many different levels. We can start with a network, and this is an area where a lot of network professionals that have been around for a while are quite familiar with. Right? We used to have the “inside network” and the “outside network.” I trust everything that’s inside and don’t trust everything that’s outside. And we talked about that a bit in our network segmentation video, but your trust doesn’t stop there and involves verifying each device on the network, and having each device prove that it should be there. Just because a device has access to my internal network does not mean I should trust it, right? The obvious answer is no. I wouldn’t trust anyone that walks into my house at midnight just because they walk through the front door. Well, I mean, I hope not. But in today’s world of wireless connectivity, you don’t even need that key to get in the front door. It’s easier to break into that network without even breaking a physical barrier. Wi-Fi networks are everywhere, and the security levels of those networks vary quite significantly. So we talked about the network and the device, but we can probably dive deeper. What about the user? Should I trust the laptop that I’m on? Do I know that it’s me just because it’s my laptop and it’s on my network? I wouldn’t. What about all the things that I’m accessing on that laptop, like a file share on the network? Or the applications that I’m accessing? Or even the data within those applications like financial data? We can’t talk about trusting a user without also talking about trusting the applications that they’re using, and the data that they’re accessing within those applications. And if we extend that example from my laptop the number of things I can do on my laptop are near unlimited. This is why the idea behind zero trust includes continual validation of the device of the user. You have to be able to ensure that the data users have access to, and the applications they use, and the actions that they’re doing on that device, are all things that they can, and more importantly, the things that they should, be doing. So why would you want to implement a zero trust mindset? Well, the traditional concept of the perimeter is gone. Right. Especially with the work-life balance that most of your employees are employing today. Work is being done on every device type, from every network, from every location, and in more applications than before. And with constantly shifting security threats, there’s things we don’t even know about today. And so zero trust only makes sense. So now that we’ve identified what zero trust is, let’s talk about what zero trust isn’t. Zero trust is not a product, a software or technology. It’s not something you just buy off the shelf. It’s rather something that you buy into. It’s also not a final destination. And what I mean by that is that zero trust is not something that you arrive at and then you’re good forever. Security, as in all forms, is always evolving. So best practices around implementing zero trust will change over time. So now that you’re on board? Great. You want to get started on zero trust? Awesome. Remember, it’s a journey. It’s not a destination. So to get started, Auvik has a number of resources on our blog. Check those out first. There’s also resources from the UK’s NCSC and the US’s NIST, and those have great resources to help you get started on zero trust as well. Remember, it’s all about taking incremental steps every day, every week, every month to move you towards that more secure model. It’s not something that happens overnight. But if you’re sitting there going, “Steve, I need something before I leave this video”, then let me leave you with this. Start with observing. Get visibility into your network, into your users, into your data, into your applications. Start by getting the systems in place to understand how people are using these resources and how all these things are interacting. The first step towards securing your network and implementing zero trust is simply by getting visibility and knowing what it is that you’re looking to protect. And now, next time you’re asked about zero trust, you’ll know. If you want to learn more about this and other networking topics from myself, and other Auvik experts, check out our resources page. I’m Steve Petryschuk for The Springboard. Thanks for taking the plunge with us.

Destiny Bertucci [00:00:07] Welcome to the springboard, where we take ideas to the deep end. I’m Destiny Bertucci, one of the product managers here at Auvik. Today we’re going to be talking about the Simple Network Management Protocol, or as you and everyone else really know it, SNMP? So let’s dive in. So what is SNMP? Basically, it’s how we talk to devices, right? So that’s one of the ways that we can do it. If we’re monitoring and managing devices, you probably know about SNMP and it turned on or turned off. So let’s talk about SNMPv1, why it’s good, and why it’s not so great to still be using. So SNMPv1 established the ground rules, right? The basic commands that are going to reside in V2 and V3 of today. Which, as we know, V2 is actually “V2c.” Another story. So V1 has largely gone away because of the lack of security, and it only did 32-bit counters. However, I like to use it for troubleshooting sometimes, so I will turn on the V1 if I cannot establish a connection with V2 or V3. And why do I want to do that? Because V1, I can see it if I’m doing a packet sniff. Also, people can see it, right? So let’s start thinking about that. The snooping in, and the actual third-party middleman, things of that nature, can see the traffic in V1. Now that’s great for troubleshooting, bad for monitoring if people get in there and actually can see what you’re doing and spoof your traffic. So also for compliance, I like to run a discovery using SNMPv1 because as we know, out of the box is public and private. Public was fro read. Private was for read/write. So if anything responds to those, I can immediately remediate that situation and not wait for a hacker somebody to use the information. Because as we’re using the keys to the castle, the monitoring software, we don’t want everybody to know what the key is, right? And we don’t want them to actually break anything, or to get into knowledge. So! SNMPv2c helped to improve two of the major holes, one of them I addressed earlier was security. So the security functionality actually got an improvement. But we also allow for 64-bit counters, which means you’re getting accurate data in those [chef’s kiss] health statistics. So what else did it do? It added to the basic set of commands. So you get a GETBULK so you can request multiple variables and one message, and INFORM which is a tweet to your traps, and a little bit more of a read receipt and a little security, and a “did it get there and didn’t did not.” V2 also solved a number of security concerns, mainly access control. So now I’m able to actually have access control and limit who can actually see the SNMP data. So that’s a win-win for society, right? I mean, everybody needs more security. And let’s talk about SNMPv3. So SNMPv3, it took security to a whole other new level. So this introduced more complex ways to configure it. Hence why I said I sometimes use SNMPv2 or 1 to troubleshoot why I’m not getting a connection, because of the complex setup in the usage by some of the outsiders, right? So now I have a username and I have a context that I can set up to use my SNMPv3. But on top of it, I have to have an authentication level. So that can be used and MD5, SHA1, things of that nature, and I use that in combination with encryption privacy. So that’s DES or AES levels, right? So there’s like, you know, 128, 256 things of that nature. Which can prevent the tampering and snooping that I was talking about earlier, where people can actually take over the community strings, look for other devices, look for the information, do a packet sniff, or see the information in plain text. They’re not able to do that information now. It’s much harder when you incorporate authentication with encryption itself. And on the functionality side, we saw three big additions. So now you have an SNMP View, so administrators can say you can view this, but you don’t have to know the credentials and we can keep it locked down. We have Groups so that we can manage access levels, for read/write or read-only, or however we’re wanting to divide that, but it’s a different level of security that we can provide. We have an SNMP User that applies these group rules to each account. And so this allows them for the username, password set up, and things like that to actually allow them to see the information of the SNMP. And now, next time you think about SNMP, or somebody asks you a question
about SNMP, I hope I gave you some tidbits that you could actually define the different three, and know the difference between them all. And you’ll be like, “I know this. Because of Springboard.” So if you’d like to see more burning technology topics tackled by me and my fellow Auvik experts, check out our resource page. I’m Destiny Bertucci for Springboard. Thanks for taking the plunge with us.

Video Transcription

Steve Petryschuk [00:00:06] Welcome to The Springboard, where we take ideas to the deep end. I’m Steve, Product Strategy director here at Auvik, and today we’re going to talk about network segmentation. I’m sure you’ve heard the term before, but we’re going to dive into exactly what network segmentation is, and why you might want to do it. Let’s dive in.

So first, what is network segmentation? It’s about taking a large network and breaking it down into smaller bits or segments. And that’s primarily done through two different ways. The first is physical segmentation. This is separation between physical assets, physical switches, physical cabling. So think more switches, more cables. The second is logical segmentation. And this is using that same physical and underlying infrastructure, but creating software and policy and rules that prevent data from flowing back and forth between different logical segments.

So why would you want to segment a network? You know, if you’re familiar with your home network, if you haven’t done any configuration to it, it’s probably a very flat network today. Not really segmented. That’s not really appropriate in a corporate environment. And there’s a number of reasons why you’d want to segment that network. The first is security. By creating different network segments, I’ve decreased the blast radius, and given different playgrounds for users in my environments to work in. It creates more enforcement points, more visibility into the traffic going across the network, allowing me to enforce more rules on who can access what. The second is monitoring. If I have a more segmented network, every time traffic goes from one segment to another, it allows me to monitor that traffic, and help to understand what’s actually happening on my network, how things are performing. And speaking of performance, as we segment a network, I actually break down a large area of the network into smaller components, which tend to perform better overall. So we have a better performing network once it’s segmented.

So you’re probably thinking, “I’ve done networking. I’m familiar with network segments.” If you’ve been in it for any length of time, you’ve either built or worked with a segmented network. Well, let’s look at a couple of concrete examples. The first is voice networks. Voice networks are a good example. In the olden days of a physically segmented network, where we might have dedicated switch infrastructure, dedicated cabling for those VoIP phones that were sitting on desks. And we did this primarily for performance or latency reasons because the devices were so sensitive to that. I mean, that’s not so much of a problem anymore today, but we still see some physical segmentation in the world of control systems, as an example. Factory floors would often be a physically segmented network from the corporate office network. A logical example of network segmentation would be a guest wireless network. So you may have two SSIDs being broadcast, which allow users to connect to one or the other. But those SSIDs are both being broadcast by the same physical access point, leverage the same physical cabling back to the switch, leveraging the same switch, as this is an example of using that same physical infrastructure by doing logical segmentation.

Come to today. In modern times, we can start to talk about zero-trust networking as a method of network segmentation. But it’s just network segmentation almost to the extreme, where we look at every single user, every single device, possibly every single resource or asset or document. I could put policies and controls around those individual users, files, and devices. And so it’s kind of network segmentation right to the extreme.

We’ll definitely dive more into zero-trust networking in a future episode, but we’ll leave it there today. If you want to learn more about this, and other networking topics, from myself and other Auvik experts, check out our resources page. I’m Steve for The Springboard.

Thu, March 31, 2022  |  12:00am ET