Combining VDI & VPN for Remote Work
If your organization is looking to implement a company-wide, secure solution for remote work that is not overly expensive, difficult to manage or maintain, and simple for end users, a combination of VDI and a hardware VPN may be the right fit.

Combining VDI & VPN for Remote Work
If your organization is looking to implement a company-wide, secure solution for remote work that is not overly expensive, difficult to manage or maintain, and simple for end users, a combination of VDI and a hardware VPN may be the right fit.
Combining Virtual Desktop Infrastructure (VDI) with a secure hardware VPN would allow your employees to securely connect to your corporate network from their own devices.
A VDI allows end users to work remotely through a virtualized environment that lives on your central server. End user devices connect via the VDI to virtual machines that you have set up on your server, allowing users to execute work as if they are on your internal network.
With VDI, no data is stored on the end user device. Instead, the user can simply see what is on the screen of the virtual machine and interact with it, but not store data from it. VDI supports a range of end user devices, from laptops and desktops to tablets or mobile devices.
Combining this environment with a secure hardware VPN, like Attila's GoSilent Platform, protects all traffic and information flowing across the connection between the end user device and the central network.
Read the full article on combining VDI and a hardware-based VPN for more information on how it works.
Remote Access for Plant Operators
Using a similar architecture to the example above a VDI and VPN combination can be especially useful for allowing remote access to Human Machine Interfaces (HMIs) inside manufacturing plants.

This allows a technician to remotely track the performance of plant equipment, and alert feet-on-the-ground maintenance staff if physical work is required to that equipment. The use of a VDI interface can allow that technician to remotely tune settings as needed to keep the equipment humming along effectively, without ever actually pulling sensitive data and storing it on a device outside of the plant.
This deployment option also nicely affords the ability to limit the traffic that can get through to the HMI. With the right hardware VPN, you can enforce a rule that only allows VDI traffic through.
All of this keeps the HMI from ever being exposed to the outside world.
Securing and Updating Unmanned Systems
IoT deployments that contain unmanned systems or endpoints are often the most difficult to secure, as denial of service attacks are prominent and very difficult to prevent in these scenarios.
Denial of service attacks are especially effective on IoT devices as they typically have limited computing power, making it easy to overwhelm them with traffic. This limited computing power also means that running tools on the endpoint to catch and stop denial of service attacks isn’t feasible.
For deployments like this, there are a number of options you have for tightly securing and protecting unmanned systems:
Cloud Delivery Networks
Using a good Cloud Delivery Network (CDN) is often the first step in helping to prevent denial of service attacks. Akamai, for instance, is best known for preventing one of the largest denial of service attack attempts in history.
Segregation of IT and OT networks
Another important option you can look into in this case is segregating your IT and OT networks. This means you essentially set up two separate networks, one for IoT devices to transmit data back to a central source for storage and analysis, and a second network specifically for managing and controlling the IoT devices.
Companies like Owl Cyber Defense build products called data diodes specifically for this purpose, that only allow IoT devices to communicate one-way, and prevent traffic from flowing in the wrong direction.
Once you’ve appropriately separated the network functions, you can focus all of your security efforts on the management network, as that is where the threat truly lies. Locking that network down and limiting access to it will prevent attacks that can render unmanned devices useless.
Using an edge gateway
Using a dedicated gateway architecture model (if possible with deployment size constraints) can also help here, by placing a more powerful security device between the outside world and the endpoint devices themselves.
IoT device security measures
There are a few things you can do on the device itself to improve individual IoT device security.
Reserve resources on the CPU or save disk space for your most critical services and functions. Make sure that the processes the device needs to function own a set partition of the CPU, for instance reserving 10% of the CPU for the remote management functionality. This helps make sure that if a denial of service attack is happening, you can still access and fix the device.
Make sure that you have a good mechanism in place to send and execute firmware updates for your device as well. Keeping devices in the field up-to-date goes a long way in keeping doors closed for unauthorized access.
Securing Legacy Industrial IoT Deployments
Another common problem that IoT deployments come up against is the use of outdated or legacy technology. Often the desire to connect equipment or endpoints that were never built to be connected comes up in the predictive maintenance and automation area of IoT.
Compatibility concerns
The biggest issue that tends to arise here is compatibility. Most modern cyber security technologies won’t work with the outdated or legacy technologies in place in most warehouses and factories.
In this case, your methods for securing these solutions become much simpler out of necessity. Purely because most of your options won’t work with the existing technology, you are usually left with using hardware-based VPNs to secure legacy IoT communications.
Often these particular deployments are a great fit for the dedicated gateway architecture as they are limited in geographical scope and need to protect legacy devices from outside networks.
Anomaly detection
It is ideal to use passive anomaly detection on the edge gateway in this example, as your device behavior will be very predictable. Because these devices were never envisioned to be connected and communicating, you can make sure their communications are very simple and repeatable, making it easy to catch anomalies in their activity.
Microsegmentation
You can also employ a strategy called microsegmentation to keep communication between devices limited to only those that need to speak to each other. Rather than allowing every device to talk to every device on the network, you can build and layer separate communication networks between groups of devices.
This can prevent devices from causing problems for each other on the network and reduce the available attack surface should someone gain unauthorized access to one of the smaller segmented networks.
Segregation of IT and OT networks
This is another case, similar to above, where segregation communications between IT and OT networks is also valuable.
Securing Connected Products in Regulated Industries
As a product provider who wants to have products “phone home” to alert for problems or maintenance issues, it is important to keep in mind the places your product will be used. If your product is deployed in highly regulated industries, like a machine that is used in factories to produce military aircraft for instance, the security of those “phone calls” home is very important.
In these instances you’ll most likely run into regulations that require something like a data historian. This is a program that records all production or process data as a time series, making it easy to look back over a timeline of records.
Segregation of IT and OT networks
This is another case, similar to above, where segregation communications between IT and OT networks is also valuable.
In this case you’d want to use something like a data diode to control communications between SCADA systems or industrial devices and end-users outside of the security perimeter of the plant.
Additionally, using tools specifically built to create a firewall between your IT and OT networks, like the Dragos Platform, helps to segregate and control any communications to and from your product in the field.

(source)