With the advent of COVID-19, millions of employees around the world now work from home. In this new normal, organizations have capitalized their Virtual Private Network (VPN) requirements to meet the high demands of remote working and connectivity. This development makes VPNs crucial as one of the entry points to accessing office networks. A poorly developed VPN could have far reaching consequences such as the introduction of malware to the network and unfettered access to corporate and confidential data.
Virtual Private network (VPN) allows individuals to access a private network (e.g. a corporate network) from a public or shared network through a secure tunnel. For instance, an employee could access data resources and applications hosted on the employer’s server directly over the internet from the comfort of their home. Generally, VPNs provide a safe connection, encrypt data between the sender (client) and the receiver (server), enable a user bypass web/ location[1]based filters and also allow for anonymity while surfing the internet.
While VPNs are advantageous, they increase the points of possible failure hence they are less reliable, they can reduce connection speed depending on the size of resources being transferred by various individuals, they do not also provide absolute anonymity as logs may be recorded. VPNs could also be expensive, with the cost increasing with the number of connections. They may also allow the transmission of malware such as Dialers, Worms, Keystroke loggers, Trojan horses and Hacker tools to the private network.
Two common types of VPNs include Personal or Home and Corporate VPNs. Personal or Home VPNs are very easy to install, users do not require specialized technical expertise to use them. They allow users to bypass web or location-based filters, prevent Internet Servers Providers (ISPs) from tracking personal online activity and protect the privacy of individuals by not logging user activities (although there are exceptions depending on the VPN service providers). On the other hand, Corporate or Businesses VPNs are precisely meant for business use and allow employees secure encrypted connections to a corporate network.
Unlike Personal VPNs, they require specialized technical skills for setup and maintenance; they could be used to restrict threats by whitelisting Internet Protocols (IP) and allowing static IP addresses; they allow for global administrations such as users management and policy settings tuning. In this new era of remote working, most corporate organizations use Remote Access VPNs which allows employees in remote locations establish secure online connections. Remote Access VPNs sometimes include: a. Administration tools, such as VPN dashboards and Security management server. b. Certificate management center or Trust entities, such as Internal Certificate Authority. c. Endpoints such as Security Gateways and remote client’s devices Some important considerations when reviewing Corporate VPNs include:
1. Ensure that the latest vendor recommended patches are applied on all edge/gateway appliances and all VPN infrastructure and products.
2. Confirm that VPN infrastructure are configured in line with vendor recommendations/organization policy and that the vendor is easily reachable for support issues.
3. Check if organization approved procedure is followed before VPN access is granted.
4. Ascertain that periodic review of the list of devices with VPN installation is done.
5. Ensure that only trusted t e r m i n a l s c a n a c c e s s corporate resources via VPN and checks are done to confi rm the endpoint’s identity and security posture.
6. Ensure that VPN access is granted only after inputting multi-factor authentication such as passwords and randomly generated one time passwords from a hardware token device.
7. Confirm that appropriate logging of user activities is done during remote access; logging of all events on VPN infrastructure.
8. Check that monitoring of VPN infrastructure for system utilization, temperature and unauthorized activity is being done.
9. Ensure that VPN users are trained on safe ways to use VPN access in the line with the organizations policy.
10. Review that configuration is done at the backend that ensures users can be connected to VPN on one device per time or from a known Mac address.
11. Confirm that when using VPN remote access, role based restrictions to organizational resources are enforced.
12. Ascertain if all vendor default VPN accounts are disabled on all infrastructure before connecting to the internet.