Many enterprises use virtual private networks (VPNs) and HTTP Proxy servers to protect their data and control network access. A VPN is a setup to protect traffic of remote employees — an encrypted link that is established from the employees’ devices to the enterprise network. After connecting, remote users and their devices appear as if they are sitting at work and have access to all their work data.
Implementing a VPN for mobile devices can be complicated. To manage them successfully, IT managers have to navigate competing requirements: battery life and bandwidth limitations on the mobile side, with threat protection, encryption and privacy on the security side. Trying to find the right configuration means laying out these requirements and matching them with the capabilities of your smartphone platform and your tools for mobile device management (MDM), enterprise mobility management (EMM) or unified endpoint management (UEM).
Here are some tips on how to balance information security requirements against what’s possible (and what’s not) in the world of Samsung Knox:
Knox VPN on Android Enterprise
To choose the right mobile VPN configuration for your network, it’s important to first understand the different Android deployment “modes.” Android Enterprise offers several modes for managing mobile devices, allowing IT to effectively manage personal BYOD devices as well as fully managed corporate-owned devices.
Android Enterprise “Fully Managed Device” mode provides full control over apps and data on devices owned by the organization, and IT admins can enforce an extensive range of policies over the entire device.
In Android Enterprise “Work Profile” or “Work Profile on Company-Owned” (WP-C) mode, a separate space is created to isolate work apps from personal apps. Work data can securely coexist with personal data on the same phone, but work data is completely isolated. In this mode, an IT admin has full control within the work profile, but only limited control of personal data. If the device is enrolled in a bring your own device (BYOD) program, IT has no control over personal data outside the work profile.
How to build an effective incident response plan
White Paper
Get this free guide on how to respond to mobile security breaches — or thwart them altogether. Download Now
Knox Platform for Enterprise (KPE) supports an enhanced VPN service that offers flexible connection models for Android Enterprise deployment modes. On a standard Android device, system apps have the privilege to bypass a VPN, but the Knox VPN service keeps all apps inside the VPN, including system apps.
Knox VPN service allows IT admins to leverage these unique features to ensure the enterprise apps on the device are secured:
Device-wide VPN: With device-wide VPN, you can protect the entire device, with all data traffic from your device being encrypted and secured. With this model, all apps on the device are allowed to access the corporate network. To avoid unnecessary traffic, IT admin can use the “Exception List” together with device-wide VPN to exempt select apps from accessing the corporate network.
Enterprises with strict security standards might want to monitor traffic on the entire device for auditing and compliance purposes. For example, in certain government and healthcare deployments, the device must be fully managed and monitored for security and compliance.
Device-wide VPN can only be used on Android Enterprise “Fully Managed” deployment mode.
User-wide VPN: In a BYOD or corporate-owned, personally enabled (COPE) deployment model, a separate user space (work profile) is created to isolate work apps from personal apps. User-wide VPN secures all apps inside the work profile, and apps in the personal area are not monitored or managed. The user-wide VPN mode is best suited for organizations that allow coexistence of work and personal apps on the same phone.
Per-app VPN: Many businesses are looking to protect a particular set of apps by using a VPN tunnel for a single app or a set of apps. Knox’s per-app VPN allows an IT admin to specify a list of apps that will always use the VPN. The list can also be preloaded onto devices before the apps show up, so if you’re not sure who’s going to run what, you can still have a single profile that covers all cases without having to worry about doing special configurations for different types of users.
Optimizing VPN performance
Exception list (Knox VPN apps blocklist): An IT admin can create an exemption list using the app blocklist feature, which means there are select apps that don’t connect using VPN. The app blocklist feature will help optimize VPN performance in certain deployment scenarios.
For example, if there are 100 apps on a device and IT admin would like to secure only 90 of them, there are two options. You can create a per-app VPN and add 90 apps to the VPN connection, or you can create a user-wide/device-wide VPN and add 10 apps to the exemption list. With the per-app VPN option, the VPN service has to handle 90 VPN rules, but with the user-wide/device-wide VPN option, there are only 10 rules for the VPN service to manage. VPN performance will be better with fewer apps to exempt.
On-demand VPN: If you bring up a tunnel as soon as the device boots, that uses bandwidth, draws additional battery power and requires a lot more VPN concentrator capacity. One alternative is to require the user to launch the VPN when needed and deactivate it when not in use, but that diminishes user experience by adding an extra step.
An on-demand VPN is the ideal solution: A VPN tunnel comes up when a particular application is used but doesn’t persist. For example, you might only need the VPN for your Oracle E-Business or SAP app traffic and may prefer not to keep tunnels up for everyone everywhere, except when they’re needed. Note: Managed VPN connections are “always-on” by default.
VPN USB tethering: Using Samsung Knox VPN, employees can now extend their phone’s VPN tunnel to work on laptop via USB. This provides laptop users the ability to access internal enterprise resources using Knox’s defense-grade mobile VPN network. In addition to providing convenience when laptops don’t have network connectivity, this offers cost savings by removing the need to buy additional VPN licenses for laptops. Samsung is the first and only manufacturer to support VPN tethering on smartphones.
Knox VPN chaining: In highly secured environments, the traditional single layer of encryption is not sufficient to securely access a classified network (SIPRnet). VPN chaining supported by Knox adds extra security by chaining VPN connections established by two different VPN clients (also known as cascading or nesting VPNs) for greater anonymity. All data sent through VPN chains are encrypted twice, and two VPN clients are needed to create a VPN chain.
HTTP proxy with or without authentication: A HTTP proxy is a server that allows enterprises to control web traffic. Proxy server can block offensive or malicious sites, monitor employees’ activity or analyze web traffic leaving facilities, adding security and speed to the corporate network. Having VPN and HTTP proxy work together is important. Standard Android devices can use a VPN and proxy server, but this doesn’t work if the proxy server requires authentication. Knox VPN offers flexible options and supports proxy with or without authentication (NTLM/Basic).
IT managers deploying VPNs on smartphones need a more sophisticated set of configuration options than the typical desktop computer. The Knox VPN service, built for Android Enterprise, includes a strong feature set for the ultimate in enterprise security, while Samsung Knox and KPE take VPNs to another level.
As you work to increase your business’s mobile security, make sure you’re prepared for the top four cybersecurity threats for enterprises in 2021. You can discover best practices for thwarting mobile security breaches and responding to them effectively in Samsung’s free guide.
