Virtual private networking has been a hot topic for many years now. The ability to have remote employees and home offices connect to a central network via the Internet provides a great cost benefit for an organization. VPN technology has evolved greatly over the past few years, making it easier and less expensive to integrate into the average organization. The Potential of VPNWithout a doubt, VPN technology has had an incredible impact in the way business is performed today. Through the use of VPNs, many organizations have created encrypted webs, connecting employees, partners, and vendors from around the world. The average VPN product will accomplish this through the following security mechanisms:
The Reality of VPNThe theories and mechanisms behind VPN technology are a great addition to the privacy and protection of communications. Like most things, however, the problem with VPN technology is not in its theories or mechanisms, but in its execution by vendors, administrators, and end-users. VPNs provide encrypted communications, not secure access points! This is an extremely important difference that organizations implementing VPN technologies should understand. While a VPN session is intended to protect communications from malicious hackers wishing to steal or modify the information, a VPN session does not protect either party in the communications from malicious actions performed by each other. A client infected with a worm, for example, will transmit the worm into the local network just as if it was directly attached; only now, the worm is encrypted while in transit. Also, VPNs only protect data as it is transferred between VPN end-points. This does not include protecting data while it is on the computer itself, or in transit through networks behind the VPN device. A hacker will not need to intercept the data at all if he or she has access to either of the systems sending or receiving the data. Trusting the Remote ClientThere is a high security exposure that comes when an organization treats its VPN as a secure access point. VPNs do not ensure either party's safety during the communication process, and the most common mistake when implementing a VPN is to extend levels of trust to areas where they should not be extended. A common use for a VPN implementation is to allow an employee to connect to an organization from remote locations, such as his or her home or a hotel. VPN technologies are great at making remote laptops and home PCs appear as if they were sitting right in the office. This, however, is not the case, and it is vital that we always remember it. A system in a remote location is very different from a system on the local network, and the two should be treated with different levels of trust. Recall the Rules of Trust and Separation. When we allow a remote client to connect directly to the internal network via a VPN, the internal network is now inheriting the security vulnerabilities of that remote client. This is horrible for our security when considering the following factors:
The Need for Additional SecurityJust as we would never take a system off the Internet and stick it in the middle of our network, neither should we allow a remote system to attach directly to the internal network via a VPN. When a remote client connects to the network, the Rule of Least Privilege should immediately kick in. There is no reason to extend the same level of trust to a remote client as we extend to internal workstations. Therefore, we should provide some forms of security, including access filtering, logging, and monitoring. Remote VPN clients should only be allowed to access that which is absolutely required and that which they can handle securely. Firewall rules that enforce this concept should be implemented. VPN Products that Make a Bad Problem Much WorseTo make their products simpler to use and operate independently of external security mechanisms, many VPN vendors include some form of filtering and build logging mechanisms directly into their products. This is a very good feature as it supports the concept of security layering. Many vendors, however, advertise their products as complete solutions and show them functioning independently of the firewall, IDS, and other security products. Installation diagrams show VPN devices being attached in parallel to the firewall, running connections to both sides. This is not a good solution for most organizations. Just as we would not put access lists on a router to avoid buying a firewall, neither should we place security filters on a VPN device to have it bypass perimeter security. A VPN should always terminate outside the firewall. If the VPN device has filters, proxies, and other similar controls, they should be seen as an additional layer of security, not a substitute for perimeter controls. To make the problem even worse, many firewalls come with integrated VPN options built in, without the ability to enforce any control on such access. The average firewall with built-in VPN capability is designed to make all security decisions at the instance when the communication touches the firewall's network card. Most firewalls do not bother to decrypt a VPN packet before making security decisions, and as such, do not allow for any filtering to be performed. This creates a gaping hole in the firewall and an inability to enforce the Rule of Least Privilege or good logging and monitoring practices. Worse yet, terminating a VPN inside of a firewall means that transactions will go unmonitored by virus and content scanners. A firewall scanning file transfers for viruses will not be able to scan encrypted communications. Thus, an infected client could very likely infect the organization to which it is attaching. VPN Client Features to be AvoidedHere are some other horrible VPN features that are important to avoid. Many VPN products allow control of these features during the installation process or at the remote client. Check for these "features" and be sure to disable them if possible:
Concerning Remote Control SoftwareThe ultimate criminal with respect to remote access and the Rule of Least Privilege is remote control software, commonly used in conjunction with VPN devices. Applications like PCAnywhere allow for a remote party to access and completely control every aspect of a desktop or server as if the remote party was sitting at that desk. Oftentimes, when a company implements a VPN, they allow for such remote control to take place from the remote client. This type of access, however, makes all filtering and logging useless. When the communications port is opened to allow for remote control of a system, the external party with control now has full access to the object on the internal network. From this object, the remote entity can do anything he or she desires and there is no way for the firewall to filter or log what is taking place. Securely Using VPNsNow that I have covered the common security pitfalls of VPNs, let me say that VPNs can be great tools and can be reasonably secure when used properly and with the proper perspective. As always, no packaged solution will be completely secure in itself; they all require some consideration on our part. Define a Realistic Level of TrustClients of a VPN should never be given the same level of trust as an internal device. There is no way that an external system can be secured to the degree that an internal system can be secured. Thus, a VPN client is not as trusted as an internal device, yet is more trusted than a common system on the Internet. Special privileges can be extended to VPN users, but they should be kept within realistic boundaries. Always consider the scenario where a hacker has gained access to the remote system, and then try to minimize the damage he or she can do. Protect Remote ClientsAll remote clients that are going to connect to the VPN should conform to some minimum level of security as dictated by a remote access policy. There are various restrictions we can put on our clients, depending on unique needs. Here are some suggestions:
Use VPNs Only When RequiredIt is difficult to secure anything that gets out of hand. When a VPN system is first put in place, everyone will want to have access. Once news of a new VPN system gets out, people are quick to put their names in to gain access for themselves and their entire departments. From my experience, the majority of people that desire access in the beginning end up never making use of it. This causes problems, since the more accounts there are to maintain, the harder it will be to secure the VPN. VPN accounts should be handed out sparingly on an individual and as-needed basis. Each user should be required to complete a VPN access request form, stating his or her individual need for VPN access, and including an approval signature from a manager. Gaining access to the VPN should not be extremely difficult, but it should be restrictive enough to reduce frivolous requests. Create a VPN AgreementA VPN agreement is a form that every user and entity should complete before obtaining access to the VPN. By signing the form, the end-user agrees to a series of rules for use, which will conform to the organization's security policy. Some specific rules that should be mentioned include:
|