Operating a corporate VPN solution can be expensive, and sometimes feel like navigating a minefield. With high stakes and a confusing sea of available solutions, mistakes are frequent and costly. Your VPN is a critical layer of defense in your corporate network, and intrusion can have serious consequences. Take the Target and Home Depot breaches for example: In 2014, these companies lost an estimated 120 million payment records due to mismanaging third party access to their VPN.
A company VPN is indispensable for increasing employee productivity when working from home, or allowing third parties access to company assets for various reasons. However, you need to take a closer look at what makes a VPN secure and what some common pitfalls are so you can avoid them.
When talking about VPN security, you may often associate it with transport security, e.g. making sure no one can intercept or manipulate your communication with the company network. In today's age of modern cryptography however, this is a non-issue with most VPN solutions. Once a session is established, man-in-the-middle attacks are hard if not impossible to execute on modern VPN software backed by IPsec or TLS-based protocols. The main risk factors are authentication and operational issues.
Making sure that no unauthorized entity accesses your company network is the core job of a VPN. As we have discussed on this blog, multi-factor authentication is the foundation of a secure system today. By using more than one authentication mechanism you can render stolen or weak passwords rather harmless. If you use a VPN without any kind of multi-factor system, you will be prone to many different attacks. Also be aware that username/password credentials may be used by anyone, not just the person they were issued to. This was the case in the Target and Home Depot breaches; a third party was given simple credentials which they shared in their teams, which increased exposure drastically and eventually led to a catastrophic failure.
If you’re worried about how multi-factor authentication will affect usability and productivity, there are many solutions that address this problem. Check out Okta’s Adaptive Multi-factor authentication, or, if you want to peek into the future of simple and seamless multi-factor auth, go read about continuous authentication.
Operational Security for Your VPN
Saying a VPN is secure is a pitfall in itself. A VPN not only needs to be set up to be secure, but it also requires continuous effort to stay secure. There is no 'fire and forget' solution. The most important example for this is access management; aka, making sure that the list of users with VPN access is up-to-date and no stale accounts can be captured. In 2014, a paper-making company fired one of their system administrators but forgot to remove his VPN access. He came back using the VPN tunnel and caused $1M in damages.
Another effective measure to mitigate third-party abuses are access policies. This goes back to the concept of least privilege: Make sure everyone only gets access to the parts of the system they need to do their job. Additionally, it is important to think through which applications can be accessed over a VPN connection. While messaging tools such as email can be accessed over a VPN connection, applications containing sensitive data should be restricted.
Even if you implement access policies and proper, up-to-date access management, there is still one more thing you should be doing: Keep looking out for abnormal connections and unusual traffic! Many companies fail to recognize threats until it is too late. By watching out proactively, you have the chance to mitigate the impact of an attack. Unfortunately, there’s currently no silver bullet when it comes to intrusion detection. There are, however, promising solutions involving machine learning, which may give you the edge you need when facing an attack.
Secure VPN: A Checklist
Lets summarize what a state-of-the-art company VPN should look like:
Secure software based on proven standards like IPsec or TLS
Multi-factor authentication, the most effective measure, can’t stress importance of MFA enough!
Strong access management with no stale credentials that is kept it up-to-date
Fine-grained access policies in which everyone has least privilege needed
Heuristic threat detection that continuously monitors for abnormalities
Smart access policies that leverage adaptive authentication and device trust
If your VPN solution fulfills these criteria, the risk of a VPN attack on your company will be reduced to a minimum and any impact mitigated. Okta can integrate with a variety of VPNs to enforce multi-factor authentication, including Palo Alto Networks and Cisco ASA, both via RADIUS.