With the sudden and rushed deployment of Virtual Private Network (VPN) services to further support new remote workers, many companies are discovering firsthand the struggles of implementing a VPN into their network. Without the needed experience, the configuration can leave your network, endpoints, and data vulnerable to attack.
Proper implementation, ongoing management and monitoring of this device is the key to success. Clare has been assisting clients with implementing new solutions for over 30-years. Our approach is to ensure your business objectives are addressed while highlighting potential risks and vulnerabilities. We will review the overall network architecture to identify and address potential access control concerns, issues of scaling and load challenges, authentication concerns, and, finally, endpoint protection as part of our design discussions. A thorough implementation will ensure a successful and secure VPN solution.
Four risks you should consider when deploying VPN:
- Network Architecture Concerns
It’s important to properly design the VPN deployment. Understanding the number of users needing remote access will allow you to build for scalability as well as potential latency. Keep in mind: the more VPN users we have, the more IP addresses are needed. The more bandwidth used, the more latency we may introduce. Lastly, restricting access control and using on the VPN is paramount to ensuring users only have access to the things they should be able to access. If possible, configure the VPN to assign users IP pool addresses specific to their roles and needed resources. For example, have all remote developers drop into a different subnet than the sales team. Not only does this make access control easier, but it also makes internal routing to systems easier as well.
It is critically important to remember that unless you take additional steps to provide strong authentication, your employees may not be your only VPN users; opportunistic attackers may use your VPN as well.
- Authentication Risks
The key to our success as a managed service provider and security provider is having strong methods for authentication for any user or device attempting to connect to your network. VPN authentication works in a few ways, ranging from authenticating usernames/passwords against Microsoft’s Active Directory or utilizing a system such as RADIUS to more complex solutions like multifactor authentication. Ensuring the use of strong passwords and multifactor authentication of some kind is a minimum requirement for all VPN deployments.
Your business should monitor the authenticating systems closely, watch for evidence of brute force or credential stuffing attacks. These attacks will expose corporate logins to the entire internet. Vulnerabilities also include overloading the VPN server, deliberate account lockouts, or worse, total network access for the hackers.
By deploying company-provided devices for remote workers, properly hardened with client certificates and endpoint protection (EPP) will minimize your risk exposure.
- Appliance Vulnerabilities
With every appliance comes risks. As a managed service and security provider, we minimize exposure by monitoring the VPN appliances closely, including CPU and memory usage changes, as well as look for evidence of denial-of-service attacks. In these unusual times, your network devices could be the only way into your business. Protect and provision devices to withstand attack, especially during these vulnerable times. Companies must watch, protect, and provision VPN devices to withstand attack. Deploying in a high availability configuration is also best practice for a critical business system.
Most VPNs handle different forms of traffic, including split-tunnel and full-tunnel options. Full tunneling, when enabled, is generally accepted as the most secure method for deployment. Increasing network usage and Wide Area Network (WAN) links within your network, routing all traffic through a secured corporate environment.
Encryption is vital to your VPN security. These devices are built to prevent malicious actors from inspecting your traffic on unsecured links. For this to be a success, we use encryption to resist attacks and vulnerabilities. With so many VPNs providing sub-par security and protection, take time to configure all secure defaults.
- Risks to Endpoints
Critical for securing deployments are the systems you allow connection to a corporate environment. Ideally, these endpoints should be fully patched, authenticated systems with strong password policies, and include an End Point Protection (EPP) protection solution. The best way to ensure this is the case is to only allow corporate-provided and managed devices access to your network (no personal devices).
Most compromises come through the endpoints or users themselves. Personal systems typically go unmanaged missing crucial updates, patches, and needed certification. With many businesses caught in a pinch, companies will have limited to no visibility into personal machines. This means there is no guarantee of end-user security. Often personal devices can be infected with malware that uses this opportunity to infect other machines and systems. With the lack of access control during a hasty corporate deployment, these errors could spell disaster for your business. Our best practice is to assume that any unknown device connecting is already breached and to institute appropriate monitoring and controls to detect any malicious activities. Clare’s Managed Endpoint Security Solution includes 24×7 monitoring and management of these devices (backed by a SOC) to rapidly identify and remediate anomalies at the endpoints.
Possible Alternatives
- Limit the access provided for remote workers. For example, if the employee works mostly locally on their device and needs access to email to communicate and to send and receive files, consider providing access only to a webmail service instead of full VPN connectivity.
- Implement a Remote Desktop Solution. If available, remote desktops can be a great tool, allowing many users to connect to a virtual computer safely within the safety of your company network. A Virtual desktop allows all data and applications to remain within the network, and a visual representation is sent as a shortcut to the user’s desktop. Allowing for IT to monitor, manage, and maintain your virtual desktops, like the on-site corporate network.
- Utilize third-party services such as cloud email, collaboration, chatting, or file share as appropriate. These tools have grown extremely useful for business today. Microsoft Office 365, Teams, and Zoom Meetings allow for more collaboration and communication between teams. Implementing a cloud strategy requires much discussion and proper planning to ensure success. Make sure you understand the risks and have a cloud strategy in place prior to implementing them.
In Conclusion
Quick deployments of VPNs into environments that weren’t designed for remote workers introduce new risks. Managing these risks requires a thoughtful, step-by-step approach that thoroughly assesses opening up your network to remote access. Proper configuration, intensive monitoring, tightly controlled access controls, and some creative thinking about how to deploy endpoints can go a long way toward making this less risky in the long run.
Clare Computer Solutions can help you to properly design and configure the right remote access solution for your business. We can provide intensive monitoring and access controls, assisting your business deployments of endpoints and network equipment.