The VPN has revolutionized the way we work. For over 20 years it’s allowed everyone from executives on down a company’s organizational chart to work anywhere, from home to the airport to the resort. (The debate of work/life balance versus always available connectivity will not be solved by me and not here.) This ability to connect almost anywhere in the world has not only revolutionized how we work, but it has saved many on-call engineers late-night trips to the datacenter.
However, in spite its convenience and functionality, the VPN can present significant security risks if it is not properly implemented.
First and foremost: which VPN protocol are you using? Many VPN protocols and encryption algorithms have come and gone, like PPTP, modem banks, DES and so on. In today’s world there are two heavyweights in the realm of maximum security, support and functionality: IPsec and SSL.
IPsec has been around for decades and is the tried-and-true solution. As time goes on, IPsec adapts by adding supported encryption and hash algorithms, like DES, which gave way to 3DES, which gave way to AES and so on.
Every IPsec VPN connection goes through two phases. During phase one of the connection, the VPN peer devices negotiate how the are going to encrypt and pass traffic. If you must use the Internet Key Exchange (IKEv1) protocol here, there are a couple of important things to remember. The obvious things are encryption/hash algorithm and the length and complexity of the pre-shared key. The most important aspect of IKE is whether you are using Aggressive Mode vs. Main Mode. Essentially, aggressive allows for the two VPN peers to run through sort of a trial and error for the initial exchange of the pre-shared key.
This presents a huge security risk that can allow an attacker to crack the pre-shared key. Here’s a really good write up of that information.
Once you are in phase two of the IPsec process enable perfect forward secrecy (PFS) and Replay Detection to protect the tunnel once it is established.
The new hotness in terms of VPN is secure socket layer (SSL). You can use an SSL VPN to securely connect via a remote access tunnel, a layer 7 connection to a specific application. SSL is typically much more versatile than IPsec, but with that versatility comes additional risk. The biggest mistake I see in the field regarding SSL VPNs is using untrusted, self-signed certificates and not keeping up to date on patches for your VPN endpoint device. The list of SSL vulnerabilities is pretty long, with the most famous recent one is the Heartbleed vulnerability.
For both SSL and IPsec VPNs, you will always have to worry about authentication and access. If you’re a smaller environment, you can use local authentication on the firewall. Most environments will leverage Active Directory as the authentication source for the VPN using either RADIUS or LDAP. Both protocol options are relatively easy to set up and it’s easy to forget to use the secure options for both.
Once connected, a VPN client has access to the business network. In the world of BYOD, the end user’s computer connected to your network is the biggest vulnerability. Your network administrators have no control over personal devices and their compliance. Fortinet, Cisco and other vendors have product offerings to perform network access control (NAC). NAC allows the firewall to check a client system for patch level, antivirus and other measures of compliance. Non-compliant systems are either not allowed to connect or isolated.