Securing the way remote users can access an organization’s local network has quickly become one of the most important security challenges for administrators. Many security experts affirm the value of deploying Virtual Private Networks (VPNs), which are powerful solutions that reduce your network’s threat surface. Unfortunately, when used incorrectly, VPNs can actually increase your security risk. This article aims to address some of the more common VPN deployments and how they can be best implemented to protect your users, data, and resources.
What is a VPN?
A VPN is a networking solution that allows you to send and receive network traffic from an IP address of a different host. Your data is routed through this second host (known as a VPN endpoint) via an encrypted connection, which will then relay data on your behalf.
In essence, it allows you to ‘borrow’ a host’s address and location, and anything you do will seem to have been done by that host and from its location.
How VPNs are Used
VPNs are versatile, and not all features will necessarily be beneficial to your environment. In an enterprise environment, VPNs are primarily used for one of three reasons, which are not mutually exclusive. below summarizes several common enterprise use-cases mapped to the appropriate VPN deployment.
Secure Remote Access: In many cases, it is necessary for systems and users external to an organization’s network to access local resources and services. Exposing these resources to the internet can significantly increase your threat surface by adding avenues of entry into your network that may be susceptible to exploitation.
A Remote Access VPN can act as a single point of entry into a network, allowing external users to securely access resources and services on the internal network without exposing those services to the internet. This type of VPN is hosted on a server within the network—often either a physical device supplied by the VPN provider, or as software installed onto an existing server. Client software is installed on user workstations, which allows them to access the local network via the VPN as if they were physically on premise.
Full Encryption of External Traffic: The use of encryption in traffic sent to or received from hosts outside of the local network is essential to ensure that it cannot be accessed by unintended third parties. Secure protocols such as HTTPS and FTPS are an effective way to encrypt sensitive information; however, some protocol header information can still be intercepted by third parties, including website domains and IP addresses. This information may be logged and tracked by an Internet Service Provider (ISP) or other organizations interested in tracking internet activity.
A Distributed VPN can be used to further hide internet browsing activity and other external communications to ensure that it cannot be accessed by unauthorized third parties. This type of VPN generally involves a network of VPN endpoints in various geographical locations, allowing traffic to be routed via one or more hosts that cannot be associated with a user’s enterprise or location. All traffic between the local network and the VPN endpoints is fully encrypted.
Secure Integration of Multiple Networks: For enterprises with multiple physical locations, or with both physical and cloud network infrastructure, multiple local networks may be connected via the internet. This poses many of the same issues as remote users when attempting to make internal resources and services available to multiple networks, since this otherwise requires exposing them to the internet.
A Site-to-Site VPN establishes a permanent, fully encrypted connection between two internet-connected networks. This allows for secure and seamless access to resources on all connected networks, and often appears to users as one single local network. Many cloud providers offer integrated site-to-site VPNs as a part of their service.
While technically different than a VPN, SD-WAN provides another very similar option for securely connecting multiple local networks. SD-WAN generally requires more complicated infrastructure than a VPN but may scale better in high and varied traffic environments.
Table 1: Common Enterprise VPN Deployments
|Encrypt and anonymize traffic between internal hosts and the internet.||Distributed VPN installed on the web proxy and/or network gateway.|
|Allow remote users to securely access internal resources.||Remote access VPN hosted on a server within the local network.|
|Securely integrate local networks at separate locations.||Site-to-Site VPN or SD-WAN between one or more servers in each network.|
|Securely integrate local and cloud networks.||Site-to-Site VPN between a server in the local network and a cloud hosted server.|
|Anonymize remote users connecting to internal resources.||Distributed VPN installed on each remote host.|
In addition to enterprise security solutions, VPNs have gained significant traction with individual users seeking added privacy in their day-to-day internet use. This has significantly diversified the level of quality, security, and scalability offered by different providers. There is some overlap in what is offered by providers in each category, and some providers additionally offer different tiers of service targeting both enterprises and individuals.
Commodity Solutions: Many VPN providers focus exclusively on Distributed VPNs and primarily target individual users. These solutions often consist of software installed on individual hosts, and may be available for multiple operating systems, including mobile devices. Most of these services charge a monthly or yearly subscription fee, but some are offered free of charge.
Enterprise Solutions: Enterprise level providers generally focus on Remote Access and Site-to-Site VPN solutions, though Distributed VPNs may be offered as well. In addition to VPN software, they may offer dedicated hardware devices, SD-WAN options, and customer support.
It is important to consider the actual security and privacy offered by a provider when selecting a VPN service. This is especially true when using a commodity solution. Many providers, enterprise solutions providers in particular, facilitate audits of their services by independent third parties, which can provide additional insight into their reliability and privacy practices.
Logging: Many VPN services log customer data, often associating customer accounts with their activity while using the VPN. This data may be used for tracking or sold for additional profit—negating the potential privacy benefits of using the VPN. Many services claim that they do not log or track clients, but this should be verified by an independent third party.
Tracking and Monetization: As with any software or service, it is important to consider the provider’s business model and how they are profiting (financially or otherwise) by offering this service. Be wary of freely offered services or those offered at a significant discount as they will need to find profit in other places. In addition to potentially tracking and selling client data, some services may inject advertising into their service, or may use your system resources to aid in running their service.
Throttling: Some providers may limit the amount of bandwidth or data through transfer quotas—either due to insufficient infrastructure or to sell higher-tier subscriptions.
Users with Commodity VPNs: Some of your remote users may use their own distributed VPN solution on their host to connect to your network. This can cause security issues such as masking malicious activity on their accounts or circumventing effective security best-practices that you may have enabled, such as Access Control Lists.
Field Effect Recommendations
Enterprises with remote users or with multiple networks connected via the internet should consider enforcing the use of VPNs to access internal resources. In addition to consolidating connectivity via a single method, VPNs are intended to be exposed to the internet and have better security and update support than many other services.
Certain enterprises may additionally benefit from the anonymous browsing provided by a distributed VPN service. The security benefits of this type of VPN are limited, and may not significantly benefit organizations where absolute privacy and anonymity are not required.
As with any exposed service, VPN use should be strictly controlled to prevent unauthorized access. Here are some suggestions to further securing a VPN:
- Ensure all accounts use strong, unique passwords to prevent threat actors from guessing or using stolen credentials.
- Use Multi-Factor Authentication to further secure accounts against unauthorized access.
- Use an Access Control List to prevent all but known IP addresses from connecting to the VPN, significantly reducing the likelihood of malicious activity.
- Use only one trusted VPN service if possible—multiple services provide multiple routes of entry into your network, thereby increasing your threat surface.
- Prevent the use of commodity VPNs on remote systems when used to access the enterprise network. You may wish to prohibit the use of these VPNs altogether or provide a single distributed VPN solution to your users.
Whichever VPN solution is right for you, Covalence and the Field Effect team will be there with full spectrum monitoring for every part of your network—including cloud components.