Ten tips for securing a client VPN

Martin Heller gives advice on making such networks safe

1. Use the strongest possible authentication method for VPN access. Exactly what this is will depend on your network infrastructure, and you should check your VPN or operating system documentation to determine your options.

For example, on a network with Microsoft servers the most secure authentication is provided by Extensible Authentication Protocol-Transport Level Security (EAP-TLS), used with smart cards. These require a public key infrastructure (PKI) and incur the overhead of encoding and distributing smart cards securely. On these networks Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP v2) and Extensible Authentication Protocol (EAP) provide the next-best authentication security.

2. Use the strongest possible encryption method for VPN access. On a network with Microsoft servers, this is Layer Two Tunnelling Protocol (L2TP) over Internet Protocol security (IPsec). Point-to-Point Tunnelling Protocol (PPTP) is too weak to be allowed, unless your client passwords are guaranteed to be strong. OpenVPN, a Single Socket Layer (SSL) VPN, can be run with TLS-based session authentication, Blowfish or AES-256 encryption, and SHA1 authentication of tunnel data.

3. Limit VPN access to those with a valid business reason, and only when necessary. A VPN connection is a door to your LAN, so should only be open when it needs to be. Remote employees should be discouraged from connecting to the VPN all day to check email. Remote employees and contractors should also be discouraged from connecting to the VPN to download commonly needed files.

4. Provide access to selected files through intranets or extranets rather than VPNs. A HTTP Secure (HTTPS) website with safe password authentication (not basic authentication) exposes only selected files on a single server, not your whole network, and scales better than a VPN.

5. Enable email access without requiring VPN access. On Microsoft Exchange servers set up an Exchange proxy server to allow Outlook to access Exchange via remote procedure call (RPC) protocol over HTTP, protected by SSL encryption.

On other mail servers, enable Post Office Protocol 3 (POP3) and/or Internet Message Access Protocol (IMAP) mail receipt and Simple Mail Transfer Protocol (SMTP) mail sending. Require secure password authentication (SPA) and SSL encryption to improve the security of these mail systems. Secure web mail is another good option for remote employees, especially when they are travelling and need to use other people’s computers.

6. Implement and enforce a strong password policy. In the absence of two-factor authentication, using smart cards or biometrics, your network is only as secure as the weakest password in use.

Passwords should be unguessable, even by family members, and long enough, with a large enough character-set, to be prohibitively difficult for a password-guessing programme to find.

7. Provide strong antivirus, antispam and personal firewall protection to your remote users, and require that they use it. Every computer fully connected to the VPN can spread infection through the network, potentially bringing company business to a halt.

8. Quarantine users from the time they connect to the VPN until their computer has been verified as safe. When a client computer starts a VPN session it should not have full access to the network until it has been checked for compliance with network policies. This should include checking for current antivirus and antispam signatures, an operating system fully patched against critical security flaws and no active remote-control software, key loggers or trojans.

The downside of doing a thorough scan at login is that it can delay the user from doing useful work for several minutes. You can improve the experience for frequent VPN users by having the server remember each client computer’s scan history.

9. Forbid the use of other VPNs and remote-control software while connected to your VPN. The last thing you need is for your network to be exposed to other networks. Most VPN software sets the client’s routing to use the network’s default gateway after connection by default, but this is usually optional.

Very remote employees may find that work-related internet browsing becomes prohibitively slow if all their traffic is routed through the network and they will want to turn this option off.

A personal firewall and a client for your proxy firewall can give employees safe remote network access without slowing down their internet connection. You can also establish a clear written policy about what constitutes acceptable internet usage while connected to the VPN.

10. Secure remote wireless networks. Employees working from home often use laptops connected to a cable or DSL modem through their own wireless access point.

Unfortunately, many wireless routers are never configured for security; they are merely connected and turned on. Teach employees how to configure their wireless routers and computers for WPA with a pre-shared key; how to configure their personal firewalls, and why it is important to keep their home networks secure.

Join the newsletter!

Error: Please check your email address.

Tags vpnNetworking & Telecomms IDsucurity

More about AES EnvironmentalLANMicrosoftSocket

Show Comments
[]