Hacking

Best practices for securing remote access

Zain Imran
October 13, 2015 by
Zain Imran

Most, if not all, of the day-to-day tasks performed in offices today rely heavily on technology, mainly computers, laptops, tablets & smart devices. As the world and the global economy become increasingly interconnected, members of the staff too are required to go mobile. Sometimes, the need arises to work from home or somewhere away from the office, plus, a lot of companies have more than one office, in different parts of the world, and that requires them to have secure communications and exchange of data between offices.

We have, time and again, witnessed some major security lapses being exploited by hackers over the years. Even a giant like Sony's security was compromised when hackers were able to penetrate through their defense apparatus to gain information pertaining to network infrastructure, user authentication, and staging and production databases. The hackers were even successful in stealing information of routers, switches, and load balancers at Sony! Consequently, the company took a huge credibility hit because of this incident.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

Your business cannot overlook the need for granting remote access to employees, unless you want to concede market share to your competitors. You never know when the need arises for a team member to urgently access their company email, connect to the company intranet, or access any other vulnerable company asset, from a remote location, in order to do their job.

Our aim is to discuss the best practices for providing secure remote access to your corporate network through a Virtual Private Network (VPN) through this article. A mix of strategies is required to achieve optimum security while allowing appropriate, or even maximum, access to your employees while working from a remote location.

Let's dive right in.

Security policy

The first thing that's required to ensure smooth remote access via a VPN is to plan out a comprehensive network security policy.

  • What are the classes of users?
  • What level of access is allowed to a class?
  • Which devices are allowed to connect to the corporate network through a VPN?
  • Which authentication method will be used and how will it be implemented?
  • How will you counter sloppy practices?
  • What are the Standard Operating Procedures (SOPs) in case of a network breach?
  • What is the maximum idle VPN connection time allowed before automatic termination?

A thorough risk-and-needs assessment will help you formulate an efficient and effective security policy. Make sure that your network security policy is part of the official company manual, and that all the employees are given proper overview of the security policy and training for VPN use.

Best practices

Before discussing various types of remote VPN connections, it is prudent to be aware of remote networking best practices.

It is a set-in-stone best practice to ensure that only company-issued hardware devices are able to connect to the internal corporate network, with or even without a VPN.

To ensure that no unauthorized software is able to install itself, or by a user, and cause a virus, worm, Trojan or malware infection on a device, each device must deny administrator rights to the user of that particular device or all the employees in general. This ensures protection against Distributed Denial of Service (DDoS) attacks.

Since employees won't be able to alter any configurations, device conflicts will also be eliminated, and hence your support team will have to entertain fewer support calls.

Another major security measure that must be adopted is the installation of antivirus and a firewall on all company provided hardware. Malicious files are kept out by an anti-virus, while more direct hacking attempts are thwarted by a firewall.

So, you have a three-layer line of defense working to protect remote access to your network: anti-virus, firewall, and VPN. The network security team should monitor alerts from these defenses constantly.

Adopting two-factor authentication for remote access through VPN further boosts your network security. Now let's take a look at why you should choose a particular VPN type as a secure connection methodology instead of the alternatives.

Which road to choose?

Three types of VPN connections are widely employed in the corporate world:

  1. Remote Access Server (RAS)
  2. Internet Protocol Security (IPSec)
  3. Secure Sockets Layer (SSL)

RAS:

The most basic form of VPN remote access is through a RAS. This type of VPN connection is also referred to as a Virtual Private Dial-up Network (VPDN) due to its early adoption on dial-up internet.

There are two main components of this connection type; a dedicated or shared RAS server used extensively for user credentials authentication, and software installed on the client device. The software application could be built-in to the operating system, or it could be installed by the company's networking team.

The client-side software is responsible for establishing a tunneling connection to the RAS and for the encryption of data.

RAS VPNs are appropriate for small companies, requiring a remote access for a few employees. However, most serious businesses have moved on from this basic form of VPN connection.

IPSec:

IPSec is an IP packet authentication and encryption method. It uses cryptographic keys to protect data flows between hosts and security gateways.

The unique feature of IPSec is that it operates at the Network Layer of the Open Systems Interconnection (OSI) protocol model. This allows IPSec to protect data transmission in a variety of ways.

IPSec is used to connect a remote user to an entire network. This gives the user access to all IP based applications. The VPN gateway is located at the perimeter of the network, and the firewall too is setup right at the gateway. However, client software must be installed in order to achieve IPSec VPN access.

What are the implications of IPSec connections for corporations, considering the very nature of this connection? Well, your employee will only be able to access the network from a single, authorized device. Security is further boosted by the enforcement of antivirus and firewall policies.

A company should go for IPSec VPN remote access if it has a strong networking department with the ability to configure each employee's hardware device individually (installing client software, enforcing security policies etc.). IPSec VPN connections are also important for an employee who needs widespread access to the company's network.

A word of warning: If you are using IPSec VPN for remote access, but you are not deploying Internet Key Exchange (IKE, certificates) as an authentication method, the connection will be vulnerable. For many use cases, XAUTH and L2TP methods of IPSec authentication are prone to security lapses.

SSL

A lot of corporations worldwide have adopted SSL VPNs for their remote access needs. This method provides VPN access through any regular browser! It requires no special software to be installed on the employee's device.

A Secure Sockets layer connection operates at the Transport Layer or Application Layer of the OSI Model of protocols. SSL VPN gateways are deployed behind the perimeter firewall, with rules which grant or deny access to specific applications.

Thus, SSL provides "granular" access to the corporate network. The remote user is able to access only those applications which are relevant to his or her work, and is not able to access other areas of the network.

Although a lot depends on which class a user is a member of, for most use cases, granting access to specific applications such as the remote employee's mailbox on an exchange server, and a subset of URLs hosted on the intranet web server is just the right strategy. Why expose the entire network to risks? SSL VPNs are a good choice for remote access.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Always use protection

Whichever VPN connection you decide is the best fit for your organization, never think about granting remote access to your employees without a VPN! By implementing the best practices mentioned here, and by carefully choosing the VPN connection type based on your business needs, your organization can achieve amazing levels of productivity.

Zain Imran
Zain Imran

Zain Imran is a Digital Content Producer and a PureVPN Ambassador, who loves writing about the latest Trend Setting Technologies, Online Security Revelations and abominations in the form of technological threats to an individual’s privacy and online freedom. He also happens to be an engineer, a sportsman and self proclaimed fitness freak.

Get in touch on twitter: @ZIRizvi