10 August 2020
In this blog we will be addressing the long-standing requirements and considerations for the use of Virtual Private Networks (VPN). We will focus on traditional VPN use from end user to corporate networks access, rather than VPN Mesh, VPN to cloud platforms such as Azure, or consumer style VPN provision for confidentiality and security.
So, what is VPN?
As many of you will know, Virtual Private Network connections (VPN) have been a long-time trusted connectivity option between networks since 1996 when Microsoft first published the Peer to Peer Tunnelling Protocol (PPTP).
Why has VPN been so popular?
Point to Point VPN Tunnels across customer networks and VPN between end user devices and company networks have enabled users to access business data, applications and security measures whilst working from anywhere in the world.
In turn this has allowed companies to become more agile, allowing end users to work from anywhere, whilst still delivering the businesses’ security needs with information normally stored behind an enterprise or business grade trusted firewall.
Over recent years the migrations to cloud based Software as a Service Solutions (SaaS) for business data and applications has in many cases reduced the use of VPN. End users are now able to connect directly to the cloud resources from local endpoints with less reliance on traditional on-premise systems.
However, many companies have key applications and large data sets that are unsuited to cloud SaaS. Businesses may also have to meet various compliance regulations or commercial model requirements which traditional on premises infrastructure still provides and therefore still require a VPN solution.
Why is March 2020 so important?
Across the globe the Covid-19 lockdown hit, many organisations who had never needed agile working and remote access now needed it fast. With no time for planned cloud migrations, businesses needed large scale VPN user rolls outs to enable working from home with access to data and applications for end users. Often this was done with limited considerations on how the VPN would deliver what was required or the security risks involved.
What are some of the common key business cases for customer VPN connections?
Remote access to files: VPN provides a great method of accessing small files on networks, often as part of a domain for work share group.
Enabling remote access to applications: VPN may provide direct access to applications on the corporate network or can enable access to remote desktop services for remote users to access corporate network-based compute to run the required applications.
Web security: Agile workers often don’t have the levels of security required on the end-point or network to enable secure access to any web services. There could be other devices on those networks which are malicious and pose a threat to your corporate data. If required, VPNs can pass all web traffic directly back to the main corporate network to run through your traditional on premises network security.
What key considerations should a business check before jumping to VPN?
Level of encryption: Many companies needed to implement VPN quickly with access for remote working without the latest technology, running the risk with older less secure VPN methods such as PPTP vs more secure SSL VPN providing a better layer of security. Some older firewalls don’t support SSL VPN, so it may be an upgrade which is required, and some firewalls need licencing to enable SSL VPN on a per user basis.
VPN performance: VPN provides a method for agile working; however, it can be limited in the performance it delivers. For example, does the VPN provide the performance requirement to open or transfer the documents across your IT environment as end users expect?
Does VPN enable what you need?: VPN connections alone may not allow you to run the applications required, however, VPN may provide the secure the access to another layer of compute such as a remote desktop server or individual Endpoint.
The resiliency of your firewalls: If you are only running one firewall it may be worth considering a pair of high availability configured firewalls to reduce risk and a single point of failure.
Treat VPNS with the highest security: VPN passwords should be highly secure as they allow a device to connect to your network. VPN passwords should be complex, updated regularly and kept up to date to ensure no legacy users have access credentials.
Multi-Factor Authentication and Geo Blocking Controls: For best practice, implement a multi-factor authentication system to complement your VPN security. This can prevent unauthorised access in the event of password breach or brute force attack.
Firewalls limitations: Many firewalls are limited in the number of VPN connections available and the number it can handle concurrently. Ensure latest firmware updates are in place for your firewalls which may offer more stable connections.
And many, many more…
Ultimately VPN can still provide a great layer of security to ensure external users who are accessing the system need a further level of credentials to access the network, particularly when Multi-factor authentication is added to the VPN connection. However, it is important the company understands the required working practices and security risks that need to be fully considered.