VPNs (Virtual Private Networks) are one of the most important tools for providing employees and business partners with secure access to an internal company network.
Using encryption, a tap-proof tunnel is created for data from the client to the corporate network. This allows users to take advantage of internal services that are normally only available to on-site users. These can be, for example, an intranet, printers, sensitive document storage or predominantly other locally restricted and internal systems.
These VPNs are typically implemented in the corporate network via dedicated servers or, for example, as an additional function on existing firewalls. These gateways must be accessible via the internet and usually globally as well. Therefore, the access points to protected network areas are popular potential targets for attackers. Since vulnerabilities in software, implementations or during operation occur repeatedly, it is crucial to consider some steps for secure handling.
Selection and operation of secure VPN solutions
In order to improve the security level of these essential services, a best practice paper has been compiled by the US Cyber Security Agency to support the planning and administration for the secure implementation of VPNs. [1]
- Choose a well-known, proven and standardised solution
With well-known and widely used manufacturers whose products are thoroughly documented and tested, the risk of hidden security vulnerabilities is significantly lower. Since a VPN service is often accessible worldwide via the Internet, the solution should follow comprehensible, up-to-date security standards and it should undergo regular updates for the system and clients. Special details, such as the optimised range of functions, the exclusive use of signed software and a secure boot process against unauthorised changes, distinguish these systems from “do-it-yourself” projects. - Secure your system already during planning and installation.
Unnecessary functions should be avoided or, if possible, deactivated. Accessibility should only include intended systems, only necessary connections should be allowed. All optional additional functions or fall-back variants (such as reverting to a weaker encryption) should be deactivated. Administration access is only recommended internally in order to minimise possible remote access vulnerabilities in advance. - Secure, kept up-to-date configuration and operation
Always use up-to-date encryption and strong authentication for all users and endpoints. Set up the VPN securely according to recommended best practices and use only current, robust methods without support for outdated algorithms. Optimally, not only the user but also the end device is uniquely authorised, e.g. with device certificates. Different user roles only allow access to the internal systems that are needed for the respective task. - Pay attention to manufacturer information and keep systems up to date Install software updates as quickly as possible. It makes sense to run the VPN functions via a dedicated gateway in order to be able to update this service as quickly and flexibly as possible without affecting other systems.
- Supervision, monitoring and logging
Monitoring of the service and logging all accesses and incidents externally is crucial. By evaluating activities, accesses as well as frequencies and intervals of user authentication, a target status can be determined. Thus, it is possible to detect deviations better and in time. Monitoring should be done continuously and with the support of other external systems, which can be regularly monitored for anomalies.
Bonus tip: Do not use “free” VPN services
Even if VPN services are often advertised as “add-on security” for open WLAN networks or other use cases: Be critical of cheap or free VPN solutions. If you pay nothing for the services, you are all too often the product yourself.
In the best case, “only” usage data is sold or more advertisements are shown. In unfavourable cases, the VPN software may be contaminated with malware and can open your system to vulnerabilities. [2]
Conclusion: Although more and more cloud services are being used, VPN remains immensely important for not only home offices and employee access to existing internal resources. VPN solutions offer an essential and often underestimated access to internal resources of one’s own network, which still represents a central security aspect. A secure and robust implementation, but also a sustainably secure operation, must not be forgotten under any circumstances!
Sources: