By: Carl Whale – Senior Networking Engineer at Metropolitan Networks
In recent years there has been a significant increase of employees working remotely from home or from a public WiFi connection requiring secure access to corporate networked resources. Typically, in order to achieve this VPN’s (Virtual Private Network) are used. A VPN creates a secure, encrypted tunnel from the teleworker’s device to a private network via the Internet.
Using a VPN to connect to company resources is considered to be secure, but how secure? This really depends on the configuration of the VPN and that consideration is given to security before VPN deployments are implemented. In this blog, we will discuss important security measures and configurations that should be considered when deploying a secure VPN to allow your employees to connect to your company’s network.
- Have a secure remote access policy – Make sure that you have a policy in place that defines how users will connect, which users are allowed to use the VPN and what they are allowed to connect to – limit the VPN connectivity only to those who need to connect, using the least amount of resources as possible. We have seen many VPN’s implemented where all users can connect to anything – this is not a good idea!
- Encryption and Authentication – Over the years, many cryptographic algorithms have been developed, advances in computing have made it necessary to develop and implement new and stronger algorithms and older legacy algorithms are no longer considered to be secure. Make sure you use the new and more secure algorithms – they are available and have been developed for a reason – so why not use them!
- Two Factor Authentication – Use two-factor authentication for your VPN connections. Two-factor authentication requires two methods of authentication, for example, something the user knows such as a password and something the users has, such as a onetime auto generated pin number. A username and password can easily be leaked or even stored for a VPN connection – a lost or stolen laptop could potentially have access to your VPN, two-factor authentication offers a second layer of protection.
- Disable VPN Split Tunnelling – VPN Split tunneling allows you to route some of your traffic encrypted through the VPN whilst letting the rest of your traffic route normally and un-encrypted via the Internet. This means that you have a connection to the Internet and your work resources at the same time and it is potentially possible for third parties via the Internet connection to compromise and gain access to your corporate resources. With Split Tunnelling disabled all of your traffic is routed and encrypted via your VPN tunnel and subjected to policies and content inspection by your corporate security appliance that is terminating the VPN.
- Quarantine users until the connecting computer has been verified – When a client computer first connects to the VPN, it should not have access to the corporate network until it has been checked to be compliant against network policies. For example, a check to confirm that this is indeed a permitted device and a check to ensure that the connecting device is running up to date Antivirus Software.
- Inspect the VPN traffic using Threat protection techniques – Ideally, the VPN traffic from the client devices should be subject to the same inspection methods as if that client machine were physically connected to the corporate network. So the traffic should be inspected for viruses and malware, the traffic should be subjected to intrusion detection and prevention and the traffic should be subject to application control and web filtering. This will help to minimize the risk of the remote client devices being exposed or compromised and in turn compromising the corporate network.