ITC Compliance, based in the UK, helps car dealerships and other retailers meet the standards of the UK’s Financial Services Regulator. By becoming appointed representatives of ITC Compliance, these businesses rely on the organization to handle their compliance. This way, clients stay compliant with the Financial Conduct Authority (FCA), without dealing with complex rules, allowing them to focus on their main work. 

James Snell, IT Director at ITC Compliance, manages technology strategy and vision, technology teams, cybersecurity, IT infrastructure, and operations. He is also responsible for vendor and stakeholder management. He needs to secure remote access to sensitive internal systems while maintaining regulatory compliance.

The challenge

Securing remote access while meeting regulatory compliance

The COVID-19 pandemic led ITC Compliance to shift to remote and hybrid work. This required a secure way for employees to access internal systems with sensitive data from various locations.

“COVID changed how companies work,” explains James Snell. “Only ITC Compliance employees can access our systems, so we needed secure remote access to internal resources.” Managing individual IP whitelisting for all remote employees was impractical.

As a regulated company working towards SOX compliance, ITC Compliance also needed strict access controls, which are crucial for certification.

The solution

Using NordLayer for secure and simple remote access

To tackle these issues, ITC Compliance adopted NordLayer as their business VPN in 2020. Routing all employee traffic through NordLayer allowed for a consistent IP address, which simplified security.

NordLayer also offered essential security tools, like multi-factor authentication (MFA). This met ITC Compliance’s security needs and supported their SOX compliance goals.

Why choose NordLayer

During renewal, James considered other options but decided to keep NordLayer. The solution felt reliable, and the pricing suited their needs, so switching wasn’t necessary.

NordLayer offered scalability and flexibility, with easy server setup and team routing through different IPs. From a cybersecurity standpoint, NordLayer provided essential tools, including ease of use, strong security features, and simple management with MFA options.

One key feature enabling ITC Compliance to maintain a fixed IP is NordLayer’s Dedicated IP. It ensures online traffic stays private and secure, helps control permissions, and prevents unauthorized access. With NordLayer, a fixed IP allows smooth, secure access to business data from any location. You can control who accesses resources by allowlisting specific IPs. Dedicated servers with fixed IPs cost $40/month and are available on all plans except Lite.

The outcome

Enhanced security and compliance support

NordLayer helped ITC Compliance secure remote access to internal systems. Using a single IP address simplified security management and reduced workload.

The NordLayer rollout was smooth, and the team found it easy to use. Scaling is simple, and adding licenses is hassle-free.

Pro cybersecurity tips

Protecting sensitive information is crucial, especially for regulated businesses. James Snell shares three essential tips for enhancing security.

With NordLayer, ITC Compliance simplified remote access, strengthened security, and met compliance needs. Try NordLayer to secure your team’s access, no matter where they work.

A VPN passthrough is a router feature that allows data encrypted by VPN protocols to pass network firewall filters.

Passthroughs were once essential to work around router limitations. Improved protocols and security technology have made them less critical. However, some situations still involve the VPN passthrough setting.

Key takeaways

After reading this article, you will:

• Know what a VPN passthrough is and how passthrough types function.
• Learn how to configure IPSec, PPTP, and L2TP passthroughs on standard routers.
• Understand the limitations of VPN passthrough features and common security vulnerabilities.
• Know how to troubleshoot VPN passthrough security problems and create secure VPN router setups.
• Learn about effective alternatives to a VPN passthrough and how to choose the right way to establish VPN connections.

VPN passthrough definition

A VPN passthrough is a router feature that allows outbound VPN traffic to pass through a network firewall.

Passthroughs allow businesses to connect devices to VPNs without compromising firewall protection. Users can encrypt traffic leaving the network and hide their activity. The firewall filters other inbound and outbound traffic normally.

Think of a VPN passthrough as a secret passage. Only authorized users can access the passage, and external actors cannot see where it leads.

How does a VPN passthrough work?

Sometimes, compatibility issues arise between VPNs and network routers. Some routers do not support VPN protocols.

VPNs rely on protocols to encrypt and transport data. VPN clients must establish connections with VPN servers outside the network boundary. This leads to problems when Network Address Translation (NAT) setups cannot handle VPN protocols.

NAT assigns a public IP address and sends data to its destination. Unfortunately, older VPN protocols can derail this process. NAT is unable to route packets to their final destination. Instead of creating an encrypted tunnel, routers block data packets and return them to the source.

A VPN passthrough solves this problem. Passthroughs allow routers to recognize protocols like IPSec, L2TP, or PPTP. When the VPN passthrough is engaged, encrypted traffic can pass across the network edge, protecting user data.

Note: Advanced protocols like OpenVPN and WireGuard avoid the need for a VPN passthrough. Modern VPN protocols work with NAT, allowing outbound traffic to the VPN server.

Do all routers need a VPN passthrough?

Not all routers need a VPN passthrough, but some do. It’s important to know whether your routers support VPNs, as configuration issues can expose sensitive data to cyber attackers.

The good news is most routers include a VPN passthrough option. In practice, only very old routers lack passthrough capabilities (and you should probably replace those devices for security reasons).

The bottom line is that you need to enable passthrough for older VPN protocols like IPsec or PPTP. Modern protocols and more secure alternatives make this unnecessary.

If you do need passthrough functionality on your router, choosing the right type matters. That’s where we will turn next.

Types of VPN passthrough

VPN passthroughs deal with different VPN protocols. There is no one-size-fits-all passthrough design, as protocols operate differently. Here are the three main versions:

PPTP passthrough

The point-to-point tunneling protocol (PPTP) uses the Transmission Control Protocol (TCP) via Port 1723 and the Generic Routing Encapsulation (GRE) protocol.

GRE does not require a specific port or IP address to create a PPTP connection. NAT requires a port number and IP address—creating a conflict. That’s where a PPTP passthrough becomes essential.

The PPTP passthrough feature solves this conflict by assigning a Call ID to GRE headers. The router sees this Call ID as a port number and allows traffic through the firewall.

Users implement a PPTP passthrough via their router firmware. Here’s how to do so:

1. Find your router IP address and enter it into a browser address bar.
2. Log onto the router settings tool and find the VPN settings section.
3. You should see an option to apply a PPTP passthrough. Enable the VPN passthrough and save your settings.
4. Reboot the router. The VPN passthrough functionality should be enabled.

IPSec passthrough

IPSec (Internet Protocol Security) passthroughs use NAT-Traversal (NAT-T) technology.

NAT-T packages data using the User Datagram Protocol (UDP) to wrap IPSec data. The NAT router can recognize this format but cannot understand encrypted IPSec traffic.

IPSec passthroughs use UDP port 4500 to establish an IKE packet exchange. IKE exchange allows the router to assign a private IP address for IPSec traffic while underlying payloads remain untouched.

Users also implement an IPSec passthrough via router firmware. To do so:

1. Firstly, log onto your router via a web browser.
2. Look for the VPN section and the option to enable IPSec passthrough.
3. You may need to reboot the router after saving passthrough settings.
4. Test the VPN connection to ensure passthrough is enabled.

L2TP passthrough

The L2TP VPN passthrough resembles the process for PPTP. In this case, passthroughs use Port 1701 to create a VPN connection.

VPN passthroughs assign a Session ID to UDP packets passing over the port. This Session ID substitutes for the port number, allowing transfers via the NAT router.

What is the difference between a VPN and a VPN passthrough?

VPNs and VPN passthroughs sound similar, but they are very different technologies. Passthroughs only allow VPN traffic from internal networks to the public internet. That’s all they do.

Virtual Private Networks are far more powerful network security tools. VPN companies operate servers across the world. The VPN server transports encrypted data and assigns new IP addresses, effectively making users anonymous.

Users generally access the VPN server via a locally-hosted VPN client. VPN software uses protocols to encrypt and send data to servers. A VPN passthrough feature smooths that process.

Companies may also choose to install a VPN router. VPN routers operate on the internal network and eliminate the need to install a VPN client on every device. The router encrypts and anonymizes data and connects with external VPN services.

Passthroughs are not usually needed if you run a VPN router. They may be necessary if you rely on separate clients for devices connected to a standard network router.

VPN passthroughs and security considerations

Let’s assume you continue using PPTP or IPSec and must traverse a typical NAC router. Does this impact your network security status, and should you take action in response?

Firstly, passthroughs are more secure than disabling NAC. This would solve the routing issue, but NAC manages traffic efficiently, conceals IP addresses from the public internet, and allows easy IP changes for network users.

Don’t even think about disabling NAC. Even so, VPN passthroughs generally leave networks more exposed to cybersecurity threats. There are a few reasons why this happens.

• Firstly, passthroughs can allow connections via insecure old VPN protocols. These protocols are rarely updated (if ever) and become less secure over time.
• Security teams may not know if users may establish insecure outbound VPN connections — putting data at risk.
• Another problem is that firewalls cannot inspect VPN traffic passing into and from network devices. This is fine if VPNs use strong encryption, but insecure VPN traffic can become an attack vector.
• Passthroughs also open ports for attackers to exploit. They may even act as backdoors, allowing freedom of movement for malicious traffic inside the network.

That sounds worrying. However, the best practices below should ensure a secure passthrough setup:

• Avoid older VPN protocols. Use secure protocols like OpenVPN or WireGuard that are harder to crack and offer better compatibility. Use VPN passthrough as a last resort.
• Block inactive ports. If you set up a VPN passthrough, only enable port forwarding where necessary. Check and close open ports that the VPN does not need.
• Maintain authentication and access policies. Limit network access to authorized users and devices. Use multi-factor authentication and processes to limit VPN access.
• Monitor VPN traffic. Use logs and real-time tracking to detect unusual behavior patterns or potential attacks.
• Use network segmentation. If you need passthroughs for certain activities, create secure zones with network segmentation tools. That way, intruders will find their path blocked if they exploit passthrough vulnerabilities.
• Audit passthroughs regularly. It’s never wise to enable VPN passthrough permanently. Regularly check router settings. Disable VPN passthrough when it is no longer needed.
•  

Alternatives to a VPN passthrough

Another way to avoid the security problems above is to use an alternative solution for outbound VPN traffic. Common alternatives include:

• SSL encryption. SSL encrypts HTTPS traffic passing across the network edge. You can use SSL as a VPN alternative, but only for web traffic. SSL is a viable alternative for web-based workloads but a poor general security option.
• RDP. The Remote Desktop Protocol (RDP) enables remote work connections without firewall conflicts. It’s a good alternative if you need to access remote devices for maintenance or training. However, RDP does not offer encrypted tunnels, making it less secure than a VPN passthrough.
• SD-WAN. Software-defined wide-area networks enable companies to create secure networks across many sites. Access controls and encryption transfer data securely without needing a standard VPN.
• Site-to-Site VPN. Site-to-Site VPNs connect locations via an encrypted tunneling protocol. Internet gateways interact without firewall conflicts, and there is no need for individual clients. However, this VPN style often relies on inefficient hub-and-spoke routing, and configuration can be complex. Problems may also arise when securing cloud deployments.
• IAM. Identity and Access Management (IAM) partly replaces VPNs for cloud-based and hybrid networks. Admins can control who accesses sensitive assets, blocking unauthorized connections. With the correct security setup, there is no need for an extra VPN or a VPN passthrough.

A VPN passthrough may be necessary to connect older devices or applications and allow remote work. But more advanced alternatives exist. Options include the tools above and modern VPN protocols that render passthroughs obsolete.

Go beyond a VPN passthrough with NordLayer’s security solutions

One thing hasn’t changed—companies must secure connections without compromising firewall performance. As cyber threats mount, protecting data transfers is becoming more important than ever.

NordLayer provides a flexible solution to secure remote connections and optimize efficiency. Our business VPN uses a variant of the WireGuard protocol, with no need to configure a VPN passthrough.

Secure gateways connect remote devices to on-premises and cloud assets. Strong encryption and IP address anonymization keep transfers completely secure. Access controls and Firewall-as-a-Service implement Zero Trust Network Access principles—blocking unknown and unauthorized connections.

Forget about VPN passthrough issues. Our simple, scalable, secure solution protects data and streamlines security management. To find out more, contact the NordLayer team today.

Frequently asked questions

Should VPN passthrough be enabled?

No. As a rule, companies should minimize the need for a VPN passthrough.

Passthroughs rely on outdated VPN protocols and create serious security vulnerabilities. Instead, security teams should invest in a modern router or investigate secure remote access solutions.

Only enable a VPN passthrough if bypassing your firewall is necessary. You may need a point-to-point tunneling protocol (PPTP) passthrough for remote access or operating devices that rely on the PPTP VPN protocol.

If possible, update your setup to accommodate newer protocols. Only use the VPN passthrough as a temporary solution.

What happens if you turn off the VPN passthrough?

Turning off the VPN passthrough is rarely a problem.

Turning off a VPN passthrough can prevent encrypted data transfers through your network firewall. The VPN passthrough allows transfers across older VPN connection types. If the VPN passthrough fails or is not activated, the VPN connection will lapse.

This can cause problems for remote workers who rely on their VPN client to establish outbound VPN connections. In some cases, users may backslide to less secure connection methods.

Generally, choosing to enable VPN passthrough is worse than turning it off. Advanced VPN protocols and tools like IAM provide reliable connectivity and improve security.

Healthcare providers and insurers handle more valuable personal data than any other organizations. Losing this data puts millions of patients at risk, which is why healthcare is also one of the most highly regulated sectors.

Regulations like the Health Insurance Portability and Accountability Act (HIPAA) protect our privacy from an army of cyber attackers. HIPAA recommends administrative and technical solutions to lock down patient data.

There are many HIPAA requirements, ranging from preventing PHI disclosure to making health information available. Firewall barriers help meet requirements for access control policies and role-based access.

That’s because firewall tools allow for the implementation of granular network access controls, which helps protect sensitive medical records and data from unauthorized access. Firewalls enable healthcare companies to benefit from digital environments and remote access while securing data and avoiding HIPAA penalties.

This article will explore what role firewalls play in achieving HIPAA compliance and suggest some best practices for firewall configuration. We will look at firewall risk assessments and help you lock down medical data.

What is HIPAA compliance?

HIPAA compliance involves following security and privacy rules under the Health Insurance Portability and Accountability Act (HIPAA). This act is a body of regulations covering the healthcare sector in the United States, and non-compliance can result in significant penalties.

HIPAA is a complex set of acts and regulations, but core aspects include:

• Privacy. Organizations must safeguard the confidentiality of Protected Health Information (PHI) relating to patient identities and healthcare histories.
• Security. Organizations must protect against data breaches and implement appropriate data protection and cybersecurity measures.
• Assessment. Companies must allow access to patient records.
• Portability. Patients must be able to change providers if desired.

Compliance requirements extend to covered entities and business associates. Covered entities include direct healthcare organizations and insurers. Business associates are third parties with access to medical records. Examples include cloud storage providers or IT support companies.

Key takeaway: HIPAA compliance is essential if your company handles or stores PHI.

The importance of firewalls in HIPAA compliance

Data protection is one of the core HIPAA requirements. Although HIPAA does not set out precise technical requirements, organizations can use any technical means to protect patient data.

However, Firewalls usually play a critical role by blocking unauthorized access and filtering data passing to and from network assets.

A robust firewall enables healthcare organizations to regulate who accesses digital PHI (ePHI). Cloud-based firewalls also secure hybrid environments that host patient information or web assets.

Firewalls are not the only tools required to comply with the HIPAA Security Rule, but they are compliance essentials.

Features of a HIPAA-compliant cloud firewall

Every business should use firewalls in their security infrastructure, but not all firewalls suit healthcare organizations. Firewalls that contribute to HIPAA compliance must meet regulatory standards in various ways. Knowing where you stand is vital.

Features of a suitable firewall include:

• Data encryption for patient information (at rest and in transit)
• Access controls and identity management to block unauthorized access to medical records
• In-depth traffic analysis via Deep Packet Inspection (DPI) and Stateful Packet Inspection (SPI)
• Real-time activity monitoring (inbound and outbound traffic)
• Blocking viruses and malicious software
• Virtual private network (VPN) coverage
• Network segmentation for confidential data
• Flexibility and the ability to scale safely

Best practices for using firewalls to achieve HIPAA compliance

Given the requirements above, what is the best way to set up a firewall that helps you meet HIPAA regulations?

Implementations vary depending on the type and amount of PHI you handle. The best practices below apply to most HIPAA compliance situations and provide a solid foundation.

• Secure inbound connections. Securing remote access or third-party network connections is a common pain point. Set inbound firewall rules to allow access to legitimate users. Add VPN protection for remote connections to shield traffic from external view.
• Manage outbound connections. Configure outbound firewall rules to prevent unauthorized extraction of PHI.
• Manage third parties securely. Many covered entities use business associates to process, store, or analyze data. Carry out risk assessments for all third-party access. Consider time-limiting third-party providers to minimize their contact with PHI.
• Strategically position your firewall. Firewall rules should manage traffic to and from locations where you store or handle PHI. Assess PHI processing operations and position your firewall to filter inbound and outbound traffic.
• Control access to firewall settings. Only approved administrators should have access to firewall controls. Be careful when assigning admin privileges. Apply brief escalation windows to scale back permissions if needed.
• Protect PHI inside a secure zone. Secure zones are network segments containing HIPAA-covered health data. Configure firewall rules to filter traffic to and from these zones.
• Implement threat responses. Plan how you respond to suspected data breaches or security gaps. Document firewall breaches and actions taken in response. Constantly update firewall rules to meet evolving cyber threats.
• Create HIPAA firewall policies. Policies document firewall rules and how your firewall meets HIPAA obligations. Revisit policies annually to assess their effectiveness and make changes if needed.
• Backup firewall rules and configurations. Create a secure storage zone for firewall configurations. Regular and secure backups allow you to restore security infrastructure following cyber attacks.
• Maintain and review audit logs. Configure firewall logs to record access patterns. Retain logs for at least one year, according to HIPAA guidelines. Store logs in an accessible format and consult logs daily to detect incoming cyber attacks.
• Schedule third-party HIPAA audits. Covered entities and business associates should arrange external audits to ensure HIPAA compliance. Audits should include robust firewall assessments. Implement recommendations promptly to resolve vulnerabilities.
• Scan systems to detect weaknesses. Scan networks regularly using qualified internal resources or third-party services. Include firewall integrity in vulnerability scans, focusing on access to sensitive data.
• Update firewall appliances and software regularly. Implement vendor-supplied updates as soon as they are available. Upgrade or replace software tools if vendors no longer support them. Audit tools annually to detect unsupported firewalls. Vendors may not inform users when products change.
• Train staff to use firewalls. HIPAA compliance requires employee training. Programs should focus on handling patient data and preventing cyber threats. Firewall usage is a core component. Ensure staff understand cloud security protocols and tools and test knowledge and behavior annually.
• Consider a managed firewall to cut costs. Smaller covered entities under HIPAA may struggle to protect patient information themselves. While firewalls—whether hardware or software—are typically provided by third-party vendors, choosing a managed firewall service adds an extra layer of support. For example, instead of setting up NordLayer’s firewall directly and handling all configurations yourself, you could choose an MSP (Managed Service Provider). MSPs handle all firewall configurations and maintenance, which is ideal for organizations without the internal expertise or confidence to manage these technical safeguards.

Carrying out a firewall risk assessment

Risk assessments consider critical HIPAA compliance risks. They complement the best practices above by systematically assessing firewall setups according to HIPAA risks.

Never roll out firewall appliances without a thorough risk assessment. Risk assessments determine whether your firewall protects patient data while meeting operational needs and limiting costs.

HIPAA risk assessments for firewalls should include several critical elements:

• Scope and asset identification. Determine where patient data resides and how it moves around your network. Establish the scope for firewall protection, including any necessary network segments.
• Threat assessment. What kind of cyber threats should the firewall counter? Think about DDoS, data breaches, insider threats, and physical risks to firewall infrastructure.
• Assess vulnerabilities. Check configuration issues like vendor-supplied passwords, default settings, or compatibility problems. Ensure firmware is current. Look at policies and identify gaps that could impact firewall effectiveness.
• Prioritize risks. Identify risks based on vulnerabilities. Rank HIPAA risks based on impact and probability and create risk management plans for each vulnerability. Using a risk matrix makes it easy to visualize risks and keep track of progress.
• Risk mitigation. Test firewalls to ensure they protect HIPAA-covered data. Run simulations to test filtering, access control, and packet inspection features. Check training knowledge and admin controls. Verify firewalls are physically secure. If relevant, test remote access from employee workstations.
• Continuous monitoring. If you have not already done so, implement continuous firewall monitoring.
• Documentation. Create a risk assessment report documenting your findings. This document should explain how your firewall helps you meet HIPAA compliance requirements. It should list any additional mitigation actions and include sign-off from senior company officials.

What happens if your cloud firewall does not guard PHI?

Following best practices and carrying out a robust risk assessment may seem time-consuming. However, spending time on HIPAA risk mitigation is always worthwhile. Insecure firewalls eventually cause serious problems for healthcare companies and their customers.

Firewalls’ most important role is preventing PHI data leaks, the number one cyber attack risk for healthcare organizations.

In 2023, the average data breach cost in the USA was $4.45 million, while the average in healthcare was $10.9 million—a massive difference. Firewalls cut data breach risks by blocking direct access to patient records.

According to HHS, this risk is even greater if companies rely on remote access. Telehealth services and medical practitioners use the public internet to send ePHI and access cloud storage. Firewalls and VPNs secure these connections while allowing innovation and flexibility.

Firewalls can also manage risks from insider attacks by locking ePHI inside secure zones. Only users with a legitimate reason have access to these zones, deterring other users with malicious intentions.

Just as importantly, firewalls achieve HIPAA compliance goals. This avoids some very damaging consequences.

Companies with solid access controls and data filtering systems are less likely to receive HIPAA penalties. Compliant organizations spend less on mitigation activities and avoid reputational damage when regulators detect problems.

How NordLayer can help you achieve HIPAA compliance

Access control policies are essential for HIPAA compliance, and firewalls are key tools for creating secure data environments that meet HIPAA requirements. Firewalls protect sensitive medical records and ensure that only authorized personnel can access critical resources. However, meeting compliance can challenge smaller and medium-sized enterprises.

NordLayer is the ideal HIPAA security partner for companies experiencing these challenges. Our cloud firewall protects today’s hybrid network infrastructures with fine-grained access controls and traffic inspection. Administrators can also set role-based access controls, ensuring only authorized users access sensitive data.

That’s not all. NordLayer also offers VPN coverage, Deep Packet Inspection (DPI), Device Posture Security (DPS), and multi-factor authentication (MFA). Quantum-safe encryption of data in transit also meets HIPAA’s cryptography management requirements.

Together, NordLayer’s features address most of HIPAA’s technical and access control requirements. Applying security measures also makes life easier for users by integrating with business systems.

Our cloud firewall scales smoothly, allowing organizations to grow. IT admins can easily change rules to create groups or manage permissions. There’s no hardware to maintain or update. Everything updates automatically, avoiding security gaps.

Ready to update your firewall and enhance your HIPAA compliance status? Contact the NordLayer team today.