With more and more employees working remotely, either from home or on the go, enterprises need a way to secure their communications with the corporate network. One solution is a virtual private network (VPN), which enables employees to securely send data between computers across a shared or public network.
VPNs were developed to solve two challenges: the high cost of leased lines for branch offices, and the growing need to enable remote workers to access the corporate network securely.
While VPNs provide security by encrypting data and sending it through a “tunnel,” there are limitations to that security. Before examining those limitations, let’s take a look at how VPNs work.
How does a VPN work?
A VPN involves the transfer of encrypted data wrapped with a header containing routing information. This process enables the data to travel securely over a shared or public network to reach its endpoint.
Data packets passed over the public network in this way are unreadable without the decryption keys, thus ensuring that data is not disclosed or changed during transmission.
From the user’s perspective, the VPN connection is a point-to-point connection between the user’s computer and a corporate server. The nature of the public network is irrelevant to the user because it appears as if the data is being sent over a dedicated private link.
As workers become more mobile, VPN connections allow users working at home or on the road to connect in a secure fashion to a remote corporate server using the routing infrastructure provided by a public network, such as the Internet.
VPNs improve Wi-Fi security
Many of these mobile workers use public Wi-Fi to access corporate data, and more than one-third never use a VPN to protect their data even though two-thirds are concerned about public Wi-Fi security, according to a survey by iPass. VPN remains a viable option for securing data transferred over public Wi-Fi.
Of course, it is not just employees working remotely who could endanger the security of corporate data and networks. Third parties, such as vendors, contractors, and suppliers, could pose risks by accessing corporate resources in an insecure manner. A VPN is just one way to reduce security risks from third parties.
In the enterprise, VPNs are used in number of ways, including remote access for users connecting to the corporate network from home or a mobile device, intranet connections among fixed locations such as branch offices, extranet connections with business partners such as suppliers and customers, and wide area network (WAN) replacement for geographically dispersed networks.
As a WAN replacement, VPN can be cheaper because it requires less overhead to maintain and offers better scalability. However, network reliability and performance might become an issue, especially when connections are tunneled through the Internet.
VPN risks – and must-have security features
Are VPNs safe? Admittedly, there are security risks associated with VPNs. These include VPN hijacking, in which an unauthorized user takes over a VPN connection from a remote client; man-in-the-middle attacks, in which the attacker is able to intercept data; weak user authentication; split tunneling, in which a user is accessing an insecure Internet connection while also accessing the VPN connection to a private network; malware infection of a client machine; granting too many network access rights; and DNS leak, in which the computer uses its default DNS connection rather than the VPN’s secure DNS server.
Even with these added security measures, VPNs are not immune to breaches. They operate on a principle of trusting whoever enters the network rather than using the principle of least privilege. The more secure ones are difficult to implement, as employees take time to put new security protocols in place, and VPNs overall are neither very flexible nor easy to manage. Organizations with many remote workers may find VPN management expensive, particularly if they are using a good provider (the better a VPN is, the more costly you can expect it to be). VPNs can be useful tools, but they can also slow a company’s productivity during the implementation process. And as previously noted, VPNs trust whoever gains access to the private network, meaning that an attacker will have full access to an Internet session once they have penetrated it.
To address these risks, enterprises should consider additional VPN security features when choosing a VPN product. These include must-have security features include:
- support for strong authentication
- strong encryption algorithms
- support for anti-virus software and intrusion detection and prevention tools
- strong default security for administration and maintenance ports
- digital certificate support
- logging and auditing support
- and the ability to assign addresses to clients on a private network while ensuring all addresses are kept private.
Also, having a kill switch is an important VPN security precaution. The kill switch ensures that if the computer loses the VPN connection, either the Internet connection is shut down or the apps that are using the connection are shut down. This prevents the Internet address from being exposed.
In addition, training should be conducted for network and security administrators and support staff, as well as remote users, to ensure that they follow security best practices during VPN implementation and ongoing use.
Another way to improve VPN security is through perfect forward secrecy (PFS). If PFS is used, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted should long-term secret keys or passwords be compromised.
With PFS, each VPN session uses a different encryption key combination, so even if attackers steal one key, they will not be able to decrypt any other VPN sessions.
Zero trust architecture: an alternative approach to network security
Some network providers have begun implementing a new type of architecture for computer networks: Zero trust. Zero trust operates from the principle of least privilege, only allowing a network user to access exactly the services and applications they need to do their job. And each application or access point requires a verification step. Users allowed onto the network are not automatically trusted.
In a zero trust architecture, companies define specific places within their network that need to be secured. These are known as protect surfaces: the applications or accounts that require protection. Networks that offer a zero trust solution create microperimeters for each protect surface. Rather than only having one giant network perimeter, through which everyone goes and then has access to the entire network, a zero trust framework places perimeters around each application or service. An attacker must make their way through more walls than just the initial point of entry in the network.
A zero trust security solution ensures that possible attackers have limited access to a network, rather than throwing the doors wide open once a user authenticates themselves at an endpoint. By requiring multiple steps of verification for different services, the network limits users to only the applications that they need to complete tasks. This is where least privilege becomes important: by segmenting the network into smaller zones, the network limits what users are authorized to access.
Zero trust architectures also help organizations better monitor workloads and processes, which in a multi-cloud environment are very agile and hard to track. If multiple steps of verification are required to perform a workload, it will be much easier to see what action has taken place and who exactly initiated it. Organizations can then track malicious activity with better information.
As networks see more remote workers, devices, and workloads, zero trust may become the primary method of securing them. Some network providers have already implemented a zero trust architecture, including Palo Alto, Cisco, and Symantec. See our top zero trust security vendors for more.
Types of VPNs
There are basically four types of VPNs:
- A firewall-based VPN is equipped with both a firewall and VPN capabilities. This type uses the security provided by firewalls to restrict access to an internal network and provides address translation, user authentication, alarms and logging.
- A hardware-based VPN provides high network throughput as well as improved performance and reliability, but is also expensive.
- A software-based VPN provides flexibility in terms of how traffic is managed. This is best for when endpoints are not controlled by the same party and when different firewalls and routers are used.
- A secure socket layer (SSL) VPN enables users to connect to VPN devices using a web browser. SSL is used to encrypt traffic between the web browser and the VPN device.
VPN tunneling protocols
VPN tunneling protocols offer different features and levels of security, and there are benefits and disadvantages to each. There are five main VPN tunneling protocols: Secure Socket Tunneling Protocol (SSTP), Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), OpenVPN, and Internet Key Exchange version 2 (IKEv2).
SSTP uses the HTTPS protocol to pass traffic through firewalls and web proxies that might block other protocols. SSTP provides a mechanism to wrap point-to-point protocol (PPP) traffic over the SSL channel. The use of PPP allows support for strong authentication methods, and SSL provides transport-level security with enhanced key negotiation, encryption and integrity checking.
PPTP allows multiprotocol traffic to be encrypted and then wrapped in a header to be sent across an Internet protocol (IP) network. PPTP can be used for remote access and site-to-site VPN connections. When using the Internet, the PPTP server is a PPTP-enabled VPN server with one interface on the Internet and a second interface on the corporate intranet. PPTP uses a transmission control protocol connection for tunnel management and generic routing encapsulation to wrap PPP frames for tunneled data.
L2TP enables multiprotocol traffic to be encrypted and then sent over any medium that supports PPP data delivery, such as IP or asynchronous transfer mode. L2TP is a combination of PPTP and Layer 2 Forwarding (L2F). L2TP represents the best features of PPTP and L2F. Unlike PPTP, L2TP relies on IP Security (IPsec) in transport mode for encryption services. The combination of L2TP and IPsec is known as L2TP/IPsec. Both L2TP and IPsec must be supported by both the VPN client and the VPN server. L2TP/IPsec is perfect forward secrecy capable.
OpenVPN is an open-source software application that implements VPN techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that uses SSL/TLS for key exchange. It is capable of traversing network address translators and firewalls. OpenVPN allows peers to authenticate each other using a secret key, certificate, or username and password. Most VPN providers using OpenVPN employ perfect forward secrecy.
IKEv2 is an IPSec-based protocol that is baked into Windows 7 and above. IKEv2 is the next-generation standard for secure key exchange between peer VPN devices. IKEv2 is particularly good at automatically re-establishing a VPN connection when users temporarily lose their Internet connections.
Choosing the most secure VPN for your organization
So how do you choose the most secure VPN? Even though it is open source-based, many view OpenVPN as the most secure VPN protocol. It is stable and reliable, easily configured to run on any port, supports hardware acceleration for improved speeds, is able to traverse firewalls and network address translation (NAT), and uses OpenSSL libraries for encryption. However, it requires client software and cannot be used on iPhones and only on a limited number of Android phones.
Another secure VPN protocol is L2TP/IPSec. It has strong encryption, no additional software for devices, is built into most desktop operating systems and mobile devices, is fairly easy to implement, and has no known major vulnerabilities. However, it does have trouble with firewalls, it is challenging to configure on a Linux server, and it is relatively easy to block by Internet service providers.
SSTP provides strong encryption, is very hard to detect and block, and is supported on all Microsoft Windows computers. At the same time, it is not supported by all VPN providers, and there is limited support for non-Windows devices.
The least secure VPN protocol is PPTP. Its benefits include easy setup, wide support for most devices, and low overhead. Because it has been around for a long time, it has known security issues that could be exploited by hackers (or government agencies). It has weak encryption and is relatively easy to block by ISPs.
IKEv2 is supported as part of IPSec implementation in Windows, easy to use, shorter negotiation period, and essential features standard. However, the bugs are still being worked out, and interoperability between different vendors is an issue.
Which VPN protocol is best depends on the enterprise and the individual. For those looking for the most secure, OpenVPN is the best. For those looking for support for many devices, PPTP may be the way to go.
A VPN provides a means of accessing a secure corporate network over insecure public networks. While a VPN is an improvement over transmitting unencrypted data over public networks, the potential security flaws should be considered by enterprises considering deploying a VPN or those that have already deployed one. Choosing the most appropriate VPN is vital for improved security in the enterprise.
A number of security and networking vendors offer VPN solutions, among them:
- F5 Networks
- Cisco Systems
- Pulse Secure
- Check Point
- Palo Alto Network