New VPN? Your Work Has Just Begun
Most organizations have learned that restricting file and print sharing services from the Internet is necessary. Other services are insecure and repeatedly vulnerable too: Windows file sharing is just an example.
But immediately after blocking these ports from passing into a network, the complaints start to roll in, "I cannot work from home" being common, and quite difficult to deal with. Many sites fire up a VPN server and call it good. In this article, we'll discuss some important considerations that should be explored when implementing VPN services for users.
Know Your Liabilities
First and foremost, attention needs to be paid to what has just been allowed by creating a VPN server. Most people know how VPNs work, but not everyone takes into account the security ramifications. A VPN's primary purpose is to bypass filtering or a firewall. Ergo, you have just said "I trust this home user and his/her computer enough that I don't mind having them on our internal network." Some people deal with this by implementing security policies on the VPN server or device, normally in the form of limiting what internal computers can be accessed over the VPN. Some, however, do nothing.
Before allowing users to connect to the VPN server, whether it implements firewalling/filtering rules or not, most organizations will want to require the user's home computer be made a bit more secure. Normally, this is as simple as requiring up-to-date antivirus software and a good VPN password. These two simple policies can drastically reduce headaches by themselves. Some solutions exist that require VPN client software be installed on the remote user's computer. Installing client software has some benefits – mostly because the software can check for malicious software and insecure configurations before allowing the client to connect.
Panda Software recently released VPNSecure, which includes a rather intelligent VPN client. It can check to make sure antivirus software is up to date, verify firewall functionality, and disable split tunneling. All of these features combined lead to ensuring a fairly secure VPN environment. For sites with smaller budgets, software like this may not be a viable option. The last resort is user training and implementing a strict policy.
Don't Do Splits
"Split tunneling" refers to the act of configuring the client to only use the VPN for things on the remote network. This is a simple checkbox "use gateway on remote server" in the built-in Windows VPN client. If checked, then all Internet-bound traffic a user sends will go through the VPN and be subject to the site's firewall policies. If the VPN is "split," then the traffic from a home user's computer destined to random websites will use their home Internet connection. If this person turns on IP routing, then people from the Internet would be able to access your internal network. In reality this probably won't happen, but if the user's computer is infected with a virus, trojan or some other malware, many different things could happen.
Today's viruses and malware oftentimes install IRC bots that allow a hacker to remotely control a computer. They can command it to infect other computers on the same network, attack remote sites, and partake in many other nefarious activities. If a user is infected with one of these, chances are good that the computer will start scanning and trying to infect your internal network as soon as it connects to the VPN. If split tunneling is allowed, the hacker can connect to the infected computer from the Internet, and have full unfettered access to your internal network. Disallowing split tunneling isn't possible from the server's point of view; it is the client's option to specify where traffic goes. Basically, if you aren't requiring a user install and use a proprietary VPN client, you cannot control this; aside from making it policy.
On the subject of policy, we mentioned previously that antivirus software being kept up to date is paramount to maintaining internal network security. Again, this is just another policy to be made and enforced. Tools exist, like Panda Software's VPNSecure, which help guarantee this policy is being followed.
Secure Passwords, Secure Policies
Secure passwords are important as well, since a compromised VPN password means that someone has a free ride into your internal network. All the fancy firewall devices and Cisco access lists in the world mean absolutely nothing when someone can simply connect to the VPN and gain full access. User passwords should never be shared or written down. Passwords should also be of sufficient complexity to avoid the possibility of someone guessing them. This normally means they should: be longer than 8 characters, contain capital and lower case letters, and contain at least one numeric character.
As implied before, the subject of policy enforcement does not have an easy answer. Panda Software has a great product, and these excellent features should start showing up in other vendor's VPN clients soon. In the absence of fancy software, certain policies are recommended to ensure safe VPN usage. These include:
If possible, administratively control the computers that VPN-connected clients can access remotely (via access lists on the VPN server).
Require that split tunneling not be used. Thankfully, the default configuration of the VPN client in Windows will send all traffic through the VPN.
Require antivirus software be kept up to date.
Require strong passwords.
Opening a giant hole into your site's internal network is never safe, but by taking a few precautions the risks can be lessened, somewhat.