Virtual Private Networking

Previous page
Table of content
Next page

Virtual private networking has been a hot topic for many years now. The ability to have remote employees and home offices connect to a central network via the Internet provides a great cost benefit for an organization. VPN technology has evolved greatly over the past few years, making it easier and less expensive to integrate into the average organization.

The Potential of VPN

Without a doubt, VPN technology has had an incredible impact in the way business is performed today. Through the use of VPNs, many organizations have created encrypted webs, connecting employees, partners, and vendors from around the world. The average VPN product will accomplish this through the following security mechanisms:

  • Information privacy Information privacy is accomplished by encrypting information as it is passed between connected entities. Using whatever encryption algorithm(s) is available in the VPN product, the content of communications will be hidden from the eyes of those listening between VPN end-points.

  • Remote and local authentication When establishing a VPN tunnel, both parties establishing the connection can authenticate to each other. This means that an organization can demand credentials of the client connecting to it, and provide credentials when the client requests it.

  • Information integrity Through the use of various encryption techniques, it is possible to verify the authenticity of information being communicated. This means that the VPN will be able to determine if information has been added, deleted, or modified during the communication process.

The Reality of VPN

The theories and mechanisms behind VPN technology are a great addition to the privacy and protection of communications. Like most things, however, the problem with VPN technology is not in its theories or mechanisms, but in its execution by vendors, administrators, and end-users.

VPNs provide encrypted communications, not secure access points! This is an extremely important difference that organizations implementing VPN technologies should understand. While a VPN session is intended to protect communications from malicious hackers wishing to steal or modify the information, a VPN session does not protect either party in the communications from malicious actions performed by each other. A client infected with a worm, for example, will transmit the worm into the local network just as if it was directly attached; only now, the worm is encrypted while in transit. Also, VPNs only protect data as it is transferred between VPN end-points. This does not include protecting data while it is on the computer itself, or in transit through networks behind the VPN device. A hacker will not need to intercept the data at all if he or she has access to either of the systems sending or receiving the data.

Trusting the Remote Client

There is a high security exposure that comes when an organization treats its VPN as a secure access point. VPNs do not ensure either party's safety during the communication process, and the most common mistake when implementing a VPN is to extend levels of trust to areas where they should not be extended.

A common use for a VPN implementation is to allow an employee to connect to an organization from remote locations, such as his or her home or a hotel. VPN technologies are great at making remote laptops and home PCs appear as if they were sitting right in the office. This, however, is not the case, and it is vital that we always remember it. A system in a remote location is very different from a system on the local network, and the two should be treated with different levels of trust. Recall the Rules of Trust and Separation. When we allow a remote client to connect directly to the internal network via a VPN, the internal network is now inheriting the security vulnerabilities of that remote client. This is horrible for our security when considering the following factors:

  • The remote client is not under constant protection by the perimeter security devices.

  • The remote client cannot be forced to conform to security policies the way a local system can.

  • The remote client is not subject to normal vulnerability scanning and auditing like the local system.

  • The remote client is much more likely to have unauthorized applications installed on it.

  • The remote client is much more likely to have a virus, Trojan horse, back door, or other malicious application installed on it.

  • The remote client is still connected to the Internet while connected to the local network, thus creating a bridge between the two.

  • The person using the remote client cannot be physically seen. Thus, this individual could be someone who stole a key, has access to a laptop, or is forcing the employee to operate the client against his or her will! There could even be a family member that uses the laptop when the employee is not home.

The Need for Additional Security

Just as we would never take a system off the Internet and stick it in the middle of our network, neither should we allow a remote system to attach directly to the internal network via a VPN. When a remote client connects to the network, the Rule of Least Privilege should immediately kick in. There is no reason to extend the same level of trust to a remote client as we extend to internal workstations. Therefore, we should provide some forms of security, including access filtering, logging, and monitoring.

Remote VPN clients should only be allowed to access that which is absolutely required and that which they can handle securely. Firewall rules that enforce this concept should be implemented.

VPN Products that Make a Bad Problem Much Worse

To make their products simpler to use and operate independently of external security mechanisms, many VPN vendors include some form of filtering and build logging mechanisms directly into their products. This is a very good feature as it supports the concept of security layering. Many vendors, however, advertise their products as complete solutions and show them functioning independently of the firewall, IDS, and other security products. Installation diagrams show VPN devices being attached in parallel to the firewall, running connections to both sides. This is not a good solution for most organizations. Just as we would not put access lists on a router to avoid buying a firewall, neither should we place security filters on a VPN device to have it bypass perimeter security. A VPN should always terminate outside the firewall. If the VPN device has filters, proxies, and other similar controls, they should be seen as an additional layer of security, not a substitute for perimeter controls.

To make the problem even worse, many firewalls come with integrated VPN options built in, without the ability to enforce any control on such access. The average firewall with built-in VPN capability is designed to make all security decisions at the instance when the communication touches the firewall's network card. Most firewalls do not bother to decrypt a VPN packet before making security decisions, and as such, do not allow for any filtering to be performed. This creates a gaping hole in the firewall and an inability to enforce the Rule of Least Privilege or good logging and monitoring practices.

Worse yet, terminating a VPN inside of a firewall means that transactions will go unmonitored by virus and content scanners. A firewall scanning file transfers for viruses will not be able to scan encrypted communications. Thus, an infected client could very likely infect the organization to which it is attaching.

VPN Client Features to be Avoided

Here are some other horrible VPN features that are important to avoid. Many VPN products allow control of these features during the installation process or at the remote client. Check for these "features" and be sure to disable them if possible:

  • Never allow the client system to store the user's password for quicker access.

  • Never allow the client system to change the level and form of encryption.

  • Never allow the client system to maintain local area and Internet connections while connected to the VPN.

Concerning Remote Control Software

The ultimate criminal with respect to remote access and the Rule of Least Privilege is remote control software, commonly used in conjunction with VPN devices. Applications like PCAnywhere allow for a remote party to access and completely control every aspect of a desktop or server as if the remote party was sitting at that desk. Oftentimes, when a company implements a VPN, they allow for such remote control to take place from the remote client. This type of access, however, makes all filtering and logging useless. When the communications port is opened to allow for remote control of a system, the external party with control now has full access to the object on the internal network. From this object, the remote entity can do anything he or she desires and there is no way for the firewall to filter or log what is taking place.

Securely Using VPNs

Now that I have covered the common security pitfalls of VPNs, let me say that VPNs can be great tools and can be reasonably secure when used properly and with the proper perspective. As always, no packaged solution will be completely secure in itself; they all require some consideration on our part.

Define a Realistic Level of Trust

Clients of a VPN should never be given the same level of trust as an internal device. There is no way that an external system can be secured to the degree that an internal system can be secured. Thus, a VPN client is not as trusted as an internal device, yet is more trusted than a common system on the Internet. Special privileges can be extended to VPN users, but they should be kept within realistic boundaries. Always consider the scenario where a hacker has gained access to the remote system, and then try to minimize the damage he or she can do.

Protect Remote Clients

All remote clients that are going to connect to the VPN should conform to some minimum level of security as dictated by a remote access policy. There are various restrictions we can put on our clients, depending on unique needs. Here are some suggestions:

  • Clients must have an approved and updated version of antivirus software installed.

  • Clients must use a designated VPN client Many VPN products can now be accessed by multiple VPN clients via IPSec. Clients vary in their security features, so it is important to designate one or two specific clients that include the desired security controls.

  • Clients must terminate all other connections while connected to the VPN Some VPN clients allow you to block all access to and from the client outside the VPN connection while in an active session. This can help somewhat in reducing the risk of a hacker using the client to bridge into the organization's network.

  • Clients must have been hardened according to the organization's desktop hardening procedure In situations where the client can only connect from a company-owned laptop, the company can perform a hardening procedure on the laptop to secure it before allowing it remote access.

  • Clients must not have any unauthorized software installed Again, for laptops owned by the organization, it is a good idea to restrict the software packages the end-user is allowed to install. This helps to avoid introducing vulnerabilities or malicious applications.

Use VPNs Only When Required

It is difficult to secure anything that gets out of hand. When a VPN system is first put in place, everyone will want to have access. Once news of a new VPN system gets out, people are quick to put their names in to gain access for themselves and their entire departments. From my experience, the majority of people that desire access in the beginning end up never making use of it. This causes problems, since the more accounts there are to maintain, the harder it will be to secure the VPN.

VPN accounts should be handed out sparingly on an individual and as-needed basis. Each user should be required to complete a VPN access request form, stating his or her individual need for VPN access, and including an approval signature from a manager. Gaining access to the VPN should not be extremely difficult, but it should be restrictive enough to reduce frivolous requests.

Create a VPN Agreement

A VPN agreement is a form that every user and entity should complete before obtaining access to the VPN. By signing the form, the end-user agrees to a series of rules for use, which will conform to the organization's security policy. Some specific rules that should be mentioned include:

  • Access is granted for the end-user only and cannot be given out to anyone else.

  • The user will never be asked for his or her password and is not allowed to reveal it to anyone. A user will never be allowed to copy his/her access key to another system.

  • The user's access will be limited strictly to business purposes.

  • All user actions while connected to the VPN may be monitored by the organization. This includes actions on the PC the user is connecting with.

  • The user agrees to only connect to the VPN using an authorized system.

  • The user agrees to maintain the system in accordance with the VPN security rules (like those mentioned above).

  • The user has read and agrees to the corporate security policy.


Previous page
Table of content
Next page
Inside the Security Mind(c) Making the Tough Decisions
Inside the Security Mind: Making the Tough Decisions
ISBN: 0131118293
EAN: 2147483647
Year: 2006
Pages: 119
Authors: Kevin Day
BUY ON AMAZON
Project Management JumpStart
Interprocess Communications in Linux: The Nooks and Crannies
Inside Network Security Assessment: Guarding Your IT Infrastructure
High-Speed Signal Propagation[c] Advanced Black Magic
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
PMP Practice Questions Exam Cram 2
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy