7.2 IP VPN Security

A VPN is a great way to extend a company's network, and to add increased functionality for network users. Many network administrators fail to realize that there are important security considerations associated with this extended network. A lot of control is lost by allowing a remote user access to the core of a corporate network, and there are steps that should be taken to ensure that remote users are not creating security holes in the process of accessing the network.

7.2.1 The Trouble with Passwords

The core of the troubles surrounding VPN access revolves around passwords. Passwords are an adequate form of authentication in a controlled network environment, where the necessary precautions have been taken to hinder the ability of outside intruders to gain access to the network, and to prevent unauthorized users from gaining network access. But passwords are problematic , at best, in the case of remote network access.

Why are passwords problematic? Passwords rely on the ability of a person to memorize them. So, they tend to either be easy to remember, or written down on a Post-It note attached to a laptop with a label like "Password to Access all the Juicy Corporate Secrets." Either way, it is relatively easy for an attacker, who has managed to access a remote user's system, to determine that user's password and use it to infiltrate the corporate network.

Passwords are also inherently breakable. An attacker with a password checker will eventually be able to crack a password. It may take a while, but because there are only a limited number of characters supported by most password systems the password will eventually be discovered . Of course the same can be said for all encryption schemes. An attacker with enough computer power and unlimited time will eventually be able to crack any encryption system in use today.

Consider that in March 2002, at the Financial Cryptography Conference, Nicko van Someren announced that he and his team had built software that was able to factor a 512-bit encryption key in less than six weeks using standard hardware.

In fact, it is estimated that using currently available hardware, someone could build a computer capable of factoring a 1,024-bit RSA or Diffie-Hellman encryption key in a few minutes. Granted, it would require in excess of $1 billion worth of computer hardware to perform this task, but $1 billion worth of computer hardware is not an inconceivable amount, especially for governments . Until recently 1,024-bit encryption technology was considered unbreakable using current technology.

What do all of these encryption keys have to do with passwords? A password is really just a form of key encryption. Password protection is much weaker than some forms of encryption, but it is also much easier to manage, which is why it is deployed almost ubiquitously.

The other problem associated with passwords is that the longer they are in use, the easier it is to break them. This is true of any type of encryption technology; if it is used for an extended period of time, it is likely that someone will be able to decipher it. It is especially true when dealing with passwords, which is why many security experts recommend a password policy that requires users to change passwords every 15 to 30 days.

Passwords alone do not provide enough security for an IP VPN. A better solution is to require at least one other form of authentication in conjunction with the password authentication. This is known as two-factor authentication. For example, a company may require password authentication combined with a digital certificate. If both levels of authentication are not properly met, the NAS will refuse authentication.

Two-factor authentication greatly improves the security of a VPN, but it usually requires additional infrastructure be added to the network. Certificate authentication requires a certificate server be in place to match public and private keys. This will be discussed further in the encryptions section.

Smart cards are a form of authentication that is becoming more popular. Chances are a company already has some sort of badge system to allow employees access into and around corporate headquarters. These badges can also be used as a form of remote authentication. They are not very secure by themselves , but when combined with a password or a digital certificate, they provide an added layer of security.

Biometrics is another form of authentication. Devices are now available which will plug into a user's machine and allow a company to authenticate based on fingerprints or facial recognition technology.

There are even proprietary methods of authentication. RSA, for instance, has a product called SecurID; it is a hardware token, about the size of a small stopwatch. The token is time synched with an RSA server; based on this synchronization the token generates a new random number every 60 seconds. When a user logs onto the network he or she has to authenticate using a password as well as the number currently displayed on the SecurID token. If the numbers match, and the username and password match, the user is authenticated and allowed access.

VPN authentication security is important, because if the wrong person gains access to a corporate network, the cost to that company could be in excess of millions of dollars. Simple password authentication is not going be enough in the future. In fact most security experts would argue that password authentication is not enough now. If your company is not using a two-factor form of authentication for VPN users, it is something you should seriously consider investigating.

7.2.2 Extending the Security Policy

If a corporate network is going to allow remote users to have access to the network, then the same security policies that apply to users on site must apply to remote users. If there are operating system standards for the company, these standards should be enforced for remote users; if corporate users must run updated virus scanning software, then remote users should as well.

There are myriad examples that can be used to illustrate this point, but the basic rule that should be followed is that any remote user has to follow the same security standards as a local user.

Some companies try to enforce this policy by assigning users laptops that can be used in the home or office. This solution satisfies the basic rule, as long as the purpose of the laptop is understood ”in other words, it needs to be clearly explained that it is a corporate-owned machine, and just like any other network device on the corporate network, only approved software and configurations will be supported.

Assigning laptops to all employees who need remote access may not be an option. If that is the case, then guidelines for machines that access the network should be clearly communicated to all employees. Some companies go so far as to have the desktop support group examine machines before allowing the user to access the network remotely. Obviously, this type of control does not scale well, but again, a little preventive maintenance can go a long way toward protecting valuable corporate data.

Equipment security is only one aspect of a corporate security policy. In addition to equipment security the standards for other types of security should be followed as well:

• Users should always log off the VPN when they are finished, or when away from the computer for even a short period of time

• Passwords should never be shared

• A corporate e-mail account should not be used for personal e-mail

Remote users should also not use the corporate network for Internet access while connected to it. There should be no need for this, as the user will already be connected to an ISP and tunneled connections can run simultaneously with nontunneled connections. A tunneled connection that finds its way to the Internet will no longer be tunneled and presents an additional security risk, so all traffic that comes in through a tunneled connection should be directed back through the tunnel to the user who originated the connection.

7.2.3 Logging VPN Connections

All connections that come in through the NAS should be logged, just as any remote connection should be. If there is a security problem network administrators should be able to review the logs and determine from where the connection originated, and the time and date of the connection.

In addition to network logons , as much session information as possible should be logged. If there is a security incident the more information available, the more likely network administrators will be to track down where the break in occurred. More importantly, if proactive monitoring is being conducted on the network any anomalies in the log file, such as a marketing person attempting to access the accounting database, can be spotted sooner, and the attacker may be stopped before a problem can occur. The ability to perform this type of logging is heavily dependent on the features supported by the individual NAS vendors , and the number of security staff.