Guide to optimising network traffic for cloud services
This guide describes how agencies can reduce remote workers’ dependence on their agency networks and improve performance by reconfiguring their VPN from forced tunnel to inverse split tunnel architecture.
This document provides technical advice for agencies, security managers of information technology and network engineers managing network capacity for remote workers.
It’s intended for agencies that already have remote workers with VPN access from agency-managed devices who may be experiencing problems with reliability or performance when accessing cloud services.
Agencies can experience performance and reliability issues that affect remote workers.
This can occur as a result of heavy use of cloud productivity applications being routed through an organisation’s corporate network by users connecting over the organisation’s VPN.
High-volume personal traffic, such as music or video streaming, can also create additional load on your network.
Requiring all network traffic from remote users to traverse your agency network also creates a single point of failure. This can block remote workers from accessing cloud applications that they could otherwise continue using.
Inverse split tunnelling
In most cases there is little security benefit from routing public cloud traffic through internal networks and proxies. VPNs can be configured to allow defined network traffic directly between user devices and approved cloud services without increasing risk to your information or organisation.
Examples of high traffic public cloud services that should be considered for inverse split tunnelling include:
- productivity applications — such as Microsoft Office 365, Microsoft Teams, Zoom and Skype for Business
- music or video streaming services — such as YouTube and Netflix.
This guide assumes that you already have:
- a functioning VPN capability
- secure end-user devices with a VPN client, host-based firewall and up-to-date anti-virus, and
- the ability to remotely manage end-user devices and push policy and configuration updates.
Optimising network traffic
The most common configuration of VPN deployments is forced tunnelling. This is where all network traffic from your end-user devices must route back to your agency network through the VPN. Connections to cloud services are then routed back to the internet.
This is often done in order to monitor and control network activity from the end-user device. This architecture is recommended for organisations that have not yet begun using cloud-based productivity or business applications. Where an organisation makes extensive use of cloud services this architecture can impose unnecessary reliability and performance degradation.
This architecture has several limitations:
- Your organisation’s network becomes a point-of-failure for staff accessing cloud services. If there is an issue with internet access through your network, people working remotely will be unable to access cloud services.
- The bandwidth or packet-forwarding capacity of your organisation’s internet connection may cause performance issues.
- Remote users may find that some cloud services do not function correctly with traffic forced through a VPN.
Inverse split tunnelling
Inverse split tunnelling is a VPN configuration where network traffic from the end-user device to approved cloud services is allowed directly and does not traverse the VPN or your corporate network.
We do not recommend full split tunnelling. This allows all internet traffic to bypass the VPN and could allow an attacker on the internet to access your agency’s internal resources through the end-user device.
There are several aspects to inverse split tunnel configuration:
- Network routing tables
- VPN policy configuration
- Firewall configuration
- Type of network traffic
Depending on your VPN product you may need to configure any or all of these.
Split tunnelling definition and requirements — New Zealand Information Security Manual (NZISM)
In this architecture the end-user device only connects to trusted environments and does not connect to, nor accept connections from, devices on the untrusted public network.
- NZISM 21.1 Distributed working: Agency-owned mobile devices — Government Communications Security Bureau
- How-to guides for common VPN platforms — Microsoft
These guides can be used for any cloud service, not just Microsoft options.
Securing end-user devices
The VPN client or other host-based firewall on the end-user device must be configured to drop all connection attempts from the internet. If you have end-user devices that do need to accept connections from the internet, then the host-based firewall must be configured to only allow the minimum necessary access and to drop all other traffic.
- Virtual Private Networks (VPNs) — NCSC UK
- Alternative ways for security professionals and IT to achieve modern security controls in today's unique remote work scenarios
Securing access to cloud services
You may have configured the cloud services you use to only allow connections from your own networks. You’ll need to configure cloud services to accept access from any Internet Protocol (IP) address. To mitigate the risk of unauthorised parties gaining access to your information in the cloud we strongly recommend the following additional controls.
Single sign-on (SSO)
We strongly recommend that agencies which have an existing federated identity capability use this for managing users’ access to cloud applications. This ensures that the cloud service does not require separate management of user accounts, and may allow users to access cloud services without logging in if they have already logged in to the agency directory from their device.
Multiple factor authentication (MFA)
We strongly recommend configuring cloud services to require multiple factor authentication for all access. This reduces the likelihood of an attacker guessing or gaining access to your information in cloud services.
Logging and reporting
You’ll need to maintain visibility of who is accessing your information in the cloud. You should review access logs periodically and enable centralised logging where possible.
Configuring cloud services
Microsoft Office 365
If your agency is already using Office 365 it’s likely that single sign-on is already configured.
Configuring single sign-on varies depending on how your Office 365 deployment has been designed so we can’t provide guidance for this.
Guidance for configuring MFA for Microsoft Office 365.Set up multi-factor authentication for Microsoft 365 — Microsoft
Microsoft have provided guidance for configuring split tunnel access to Office 365 at the link below. They have also included step-by-step configuration guides from key VPN vendors.How to quickly optimise Office 365 traffic for remote staff and reduce the load on your infrastructure — Microsoft
Zoom provides configuration guides for enabling SSO with a wide range of directory solutions including Azure Active Directory, ADFS, Okta and GSuite / Google Apps.
Configure your VPN policy and routing to allow direct connections to the domains and IP addresses listed in Zoom network firewall or proxy server settings.