Public Wi-Fi: Still Forcing VPN?

Posted by This_Investigator655@reddit | sysadmin | View on Reddit | 28 comments

Curious how other are approaching public Wi-Fi security now that so many environments are SaaS/cloud-first.

Are you still enforcing always-on VPN for hotel, airport, and café Wi-Fi? If so, are you running split tunnel or full tunnel?

[-]

OregonTechHead@reddit

If people can do their jobs without connecting a VPN, why is there a VPN?

[-]

JwCS8pjrh3QBWfL@reddit

Protection from snoopers on public wi-fi.

[-]

Valdaraak@reddit

Every business site and platform we use is HTTPS. They can't really snoop on anything.

[-]

MortadellaKing@reddit

They can if they are doing tls mitm and the dumb user just clicks "trust" on the certificate warning if you don't have that turned off.

[-]

OregonTechHead@reddit

There are other, much more efficient ways, to encrypt traffic rather than a VPN and routing everything back to HQ.

[-]

monkeh2023@reddit

There's not a lot people can snoop on nowadays though.

[-]

serverhorror@reddit

Since HTTPS is ubiquitous, what are they going to snoop about? With DNS other HTTP(s), they aren't even getting that.

[-]

mustang__1@reddit

Prevent downloading malicious files, watching porn, etc.

[-]

Regulated industries require it. Whats to stop someone from setting up a duplicate fake SSID like your nearest coffee shop and capturing traffic? Most is encrypted nowadays, yes, but they could still send you altered DNS records and intercept information. Browsers still allow plain HTTP and don't always notify. Employees don't always verify if they are using HTTPS or not.

[-]

OregonTechHead@reddit

What industries require tunneling all traffic back to HQ via VPN as opposed to more modern solutions?

If data needs to be encrypted, why aren't we just encrypting the data directly rather than going around the block?

[-]

disclosure5@reddit

None. This is the same as people not long back arguing you legally needed to buy extended validation certificates "because regulation" then one day we all just stopped because they were stupid.

[-]

disclosure5@reddit

Name one regulation that requires random VPN services in order for people to access HTTPS based websites.

A whole lot of people in this thread living in 2000 and believing Firesheep still works.

[-]

BigBobFro@reddit

Always on yes. Once on though, off-load bypass.

[-]

OregonTechHead@reddit

If you aren't sending any data over the VPN, what's the point of connecting it? What's the point of it even existing?

[-]

BigBobFro@reddit

Only off load what you need to for functionality. Crowdstrike and teams are murderous to vpns and outbound proxies.

Force the vpn to ensure dlp and outbound web proxy compliance.

[-]

chapel316@reddit

There are plenty of SaaS apps that don’t play well via VPN (looking at you Microsoft) so you split those out to go directly and everything else goes through the VPN.

[-]

PizzaUltra@reddit

There is no realistic technical reason to enforce VPN on public WiFi for security reasons.

Yes, Defense in depth, yes layers, yes Swiss cheese model, but there is no real threat mitigated by VPN usage on public WiFi.

[-]

SwizzleTizzle@reddit

Also, the vulnerability that the end point then is compromised and used as a router into the VPN.

Small chance, unlikely, yet this risk does exist.

[-]

jetlagged-bee@reddit

No, as we don't require VPN access to anything on-prem.

We're 100% cloud-based, Intune enrolled, Entra ID with strict Conditional Access, Passwordless all round, no-BYOD, Cloudflare ZTNA, Cloudflare DoH DNS filtering via One client, HTTPS enforced, strict firewall on everything.

Lots of acronyms. Hope it's enough 🤞

May roll out the full Cloudflare WARP for some remote users.

[-]

Chungus-Galactic@reddit

We use Tailscale but only force DNS and one on-prem app through the tunnel.

[-]

40513786934@reddit

I'd like to use ZTNA and just get rid of VPNs, but can't get the budget for it

[-]

This_Investigator655@reddit (OP)

How are u using vpn now? Always on?

[-]