Banyan Security Test Drive - Securing Service Tunnels

Overview

Access to corporate services (such as hosted websites or file shares) is regularly needed by employees. Traditionally, access has depended on VPNs, which are notorious for granting over-privileged access to the network. In fact, VPNs often create a security liability, since they offer broad access to sensitive corporate assets and permit the kind of lateral movement that adversaries use for ransomware and other illegal activity.

Banyan’s Service Tunnel provides a modern VPN-as-a-Service, allowing users access to corporate services while also enforcing user and device trust. Banyan’s continuous authorization ensures that access is blocked if a device’s security posture falls below a minimum threshold level.

In the following scenario, MedSoft has published resources via the Banyan services catalog. We will showcase how to access an internal resource via Service Tunnel.

Contents:

• Before you begin
• Access to an internal site or server
  • Access shared files
  • Change device posture
• How it works
• Need additional assistance?

Before you begin

For this Test Drive scenario, you’ll need:

• A valid set of credentials to MedSoft’s Identity Provider (Okta)
• A MacOS or Windows device registered with the Banyan Desktop App (v2.0 or higher) with administrator privileges
• A minimum device TrustScore of 61 or higher
  • If your TrustScore is 60 or lower, review the in-app remediation instructions
  • Then, navigate to Settings and select Send Devices Features to update your TrustScore

Access to an internal site or server

Access shared files

MedSoft publishes various resources via Banyan’s service catalog.

(1) Launch the Banyan App from your device’s Menu Bar (macOS) or Taskbar (Windows), and then select Login to authenticate and populate Corporate Services.

(2) Select the Service Tunnels tab to get a list of all existing service tunnels. Connect to DatacenterTunnel (i.e., select the button on the right), and then select the service tunnel name (i.e., DatacenterTunnel). Here, you’ll find the IP address of the Windows file server you want to connect to.

(3.1) Here are the steps to connect to a file share using Mac:

(1) In Finder on your Mac, select Go from the menu bar, and then select Connect to Server….

(2) A Connect to Server box will pop up. Enter the IP address for the Windows file server in the Server Address field (i.e., smb://10.138.0.14). The IP address can also be found on the DatacenterTunnel page.

(3) If connecting for the first time, select Guest and then Connect.

(4) A new window will pop up with shared files (e.g., C, Documents). Select one, select OK, and you’ll see a new entry under Network locations.

(3.2) Here are the steps to connect to a file share using Windows:

(1) Open File Explorer, and select This PC.

(2) Select Computer > Map Network Drive. This will generate a new window.

(3) In this new window, select a Drive from the dropdown menu. Enter the IP address that you found in the DatacenterTunnel service page (i.e., smb://10.138.0.14).

(4) Select Browse. This will generate a new window with the Windows file server IP.

(5) Here, you can access all shared files (e.g., C, Documents). Select a shared file entry, and then select OK.

(6) Select Finish, and you’ll see a new entry under Network.

Change device posture

The following will showcase how Banyan enforces zero-trust policies in real-time:

• To compromise your device posture, select Test Drive Settings, and then toggle Lower My TrustScore (move switch to the right). Your TrustScore will drop to 0, and as a result you’ll no longer be able to connect to the server.

This is a simulated scenario. In real life, an end user’s TrustScore generally drops as a result of various issues. For instance, their device may not be patched, their antivirus tool may have detected some malware, or other vulnerabilities may have been detected.

How it works

Banyan adds on a mandatory access control layer that it constantly evaluates the security posture of the device and integrates with your organization’s single sign-on (SSO) provider. All traffic to services takes place over the secure tunnel. Security policies are then continuously enforced, based on device trust.

Read more about using a modern VPN-as-a-Service in our product documentation.

Need additional assistance?

We’re happy to help. Contact our team here.

Ready to see more? Give another Test Drive scenario a spin.