With the number of employees telecommuting, traveling often or working remotely on the rise, the conventional corporate security model is undergoing a major shift. With the availability of VPN (Virtual Private Network) technologies allowing ubiquitous access to company systems, networks and servers, the standard security perimeter many enterprises once enjoyed needs rethinking.
Before the implementation of a remote-access VPN solution, it is imperative for organizations to define who can use the VPN, what it can be used for, and the security policies that prevent improper or malicious use.
Top security concerns
While the increases in productivity and savings that come with remote access VPN is attractive to organizations, considerations must be given to the potential vulnerabilities of this technology. The following are the top security concerns that raise the need of an effective VPN remote access policy:
Man in the middle: If remote access was set up using IKE or another insecure authentication protocol, man in the middle attacks are possible. This attack only needs to interpose itself between the VPN server and the remote user, capture the user’s authentication to the server, and authenticate itself to access the server.
- DDoS: End-user devices (laptops, mobiles, tablets, etc.) have little security in place, so they can be an easier target than the corporate network. Unsecured devices are open to viruses, password harvesting and worms, which could lead to a Distributed Denial of Service attack. This could have adverse effects if a VPN connection introduces malicious traffic into the corporate network.
- SSL trusted certificate authority hack: The whitepaper titled ‘Debunking the Myths of SSL VPN Security‘ informs that the trusted certificate authority to authenticate an SLL connection to VPN can be hacked, as was the case with Comodo. Comodo’s RA (registration authorities) were hacked, and the attacks obtained digital certifications, which could be spoofed to enable hackers to pose as a secure connection to gain access to information about a corporate network, TCP port numbers, protocols, or servers.
Requirements of a secure policy
In order to lessen the exposure of corporate networks to security threats, there are a number of principles and requirements to be considered, around which a secure remote access policy should be devised. Organizations must consider the following:
1. Avoid split tunneling
Split tunneling is when remote users can access secured and unsecured networks when connected to a VPN. This creates the possibility that malicious users can use the remote user’s link to the corporate network to access resources on the corporate LAN through the authenticated connection. This is possible if IP routing is enabled on the computing device of the end user. Organizations in control of how this works should find a way to disable split tunneling, which will depend on the quality of VPN components in question.
2. Define central authentication
A RADIUS server can be used for central authentication when implementing a secure and effective VPN remote access policy. It is a software application that provides access to all users, so when a user logs in, the VPN contacts the RADIUS application which authenticates the user through the Mac, Windows or another OS. The password, username and dial-in access are required for a user to be granted access to the VPN.
3. Ensure safe encryption and SSL connection
Encryption is a major part of remote access security. Less secured protocols such as IPSEC6 and PPTP connections should be avoided if possible. Organizations should aim for the most secure encryption standards such as IPSEC (3DES) and 256-bit AES. SSL-backed VPN should be considered if it is compatible with company applications: in this case, a connection only allows access to individual ports, IP addresses and applications, which makes it more secure than standard connections that grant access to the whole network.
4. Aim for customizability and versatility
Deployment-proven remote-access technology should be a part of the implementation. In this case, IPsec VPN connections can be established for company-managed servers. IPsec remote access offers customizability and versatility through modification of VPN client software. With APIs in IPsec software, organizations are able to control the function and appearance of the VPN client for applications and special case uses.
5. Look for VPN gateways to prevent access abuse
Technologies required for preventing remote access abuse and mitigating threats such as spyware, viruses, and malware already exist in the security infrastructure of many enterprise networks. However, they are not integrated in a way that they can ensure remote access security, due to the way VPN traffic is encrypted. While additional security equipment may be installed and purchased to protect the VPN network, the most cost-effective solution would be to consider VPN gateways that offer application firewall and threat mitigation services as a built-in part of the VPN product.
6. Verify IP addresses and ports with a protocol analyzer
Most remote access setups will allow you to define the ports, applications, and IP addresses, and what they may do on the server. This is required to protect the internal corporate LAN network from malicious attackers and viruses at the end of the VPN client. Once the ports and IP addresses are defined, they can be verified with Ethereal or another protocol analyzer.
7. Make sure applications are supported
Many vendors promise support for all applications, but solutions need to be investigated. While VPN solutions claim to incorporate standard protocols, they may have vendor-specific implementations that are not suitable for a company. An effective VPN remote access policy requires testing and investigation of applications that require server-initiation connections, system management software and IM solutions. VPNs running on SSL connections may not support these protocols. End users trying to access unsupported applications on the server may create security loopholes.
The importance of effective policy implementation
Remote access VPN can be an attractive ground for hackers and malicious attackers, so an organization’s server must be protected by a security or network administrator. By having an effective VPN remote access policy, you can reduce the risk of your organization’s network assets and support calls from end users.
A VPN policy should be documented, and every user remotely connecting to the network should read and accept the terms of that policy. Administrators reserve the right to configure the concentrator to limit connection times to usual business hours or as determined by the need of demonstration.
The policy would define responsibilities of the end users, such as the following:
- All remote users must note that the use of the VPN system does not imply that all the transmissions between the NCCC network and the remote PC are secure. It is the responsibility of the user to configure their applications to utilize the VPN if they want to contribute towards the security of transmissions.
- All users must connect to a centrally authenticated VPN and the client software associated with that VPN.
- Remote devices and systems must have up-to-date anti-virus and anti-malware software enabled and installed.
- For connections where strict data confidentiality is required, remote access devices should work through end-to-end encryption.
- Systems with multiple user accounts may be prohibited to create VPN connections to the corporate server for the entire host and its users.
- The operating system of all remote devices must be kept up-to-date by applying patches as soon as they become available to download.
- In order to utilize a VPN service, all remote systems should be connecting through compatible operating systems, such as OS X or Windows XP. Any OS that is not compatible with the vendor implementation will not be supported.
The policy would then define the responsibility of the security department:
- Provide end users with detailed instructions for installing the VPN client on their devices.
- Manage services that support the VPN-connected network device the VPN client, and the software that grants users access to the server.
- Scan for unauthorized connections and cut-off access of those systems engaging in non-sanctioned connections.
- Review the users request for access and submit it to the security policy audit department.
- Assure that all users have reviewed the policy in place.
An effective policy would also ensure that internal address configurations and system related information for the corporate servers and networks are kept confidential. The corporate network information shall not be released to third-party networks that do not have a need of such information. Also, the security implementations will protect the corporate systems against inherent risks.
Organizations need better policies to drive up productivity of remote workers while managing and mitigating risk. Effective VPN remote access policies are a requirement in enhancing and maintaining enterprise network safety and enhancing trust of end users who are given access to VPN services.