Teleworking: VPN and other recommendations

Posted date 30/03/2020
Author
Adrián Flecha (INCIBE)
Teletrabajo: VPN y otras recomendaciones

Nowadays it is common for organisations to face the need for their employees to be able to remotely access the information and resources stored in their corporate networks, either to facilitate daily operations from portable devices, or to deal with unforeseen events that prevent regular access from the organisation's own headquarters.

Nevertheless, there are risks that jeopardise the security of the assets when not done properly, given that allowing remote access to information not only exposes it to authorised employees, but also potential attackers. Therefore, it is necessary to take a number of considerations into account to ensure that the organisation is prepared.

In this article, we will review virtual private networks, or VPN, one of the most important measures for teleworking arrangements, since they allow a connection to the organisation through secure networks, the advantages they offer, as well as other additional security recommendations to help ensure security.

VPN

Virtual private networks are used to protect the information that is exchanged by establishing a secure communication tunnel between the client and the server. This is done by using encryption techniques that prevent others from being able to intercept or manipulate it, therefore guaranteeing the confidentiality and integrity of the data. Furthermore, servers can verify the authenticity of the client, in other words, it will only allow authorised users access.

Arquitectura VPN

Types of VPN

Some possible implementations of these networks are:

  • Client/server applications designed to access the data stored on the server through HTTP.
  • VPN gateways that allow HTTP access to the server’s applications that do not have a native web-based interface.
  • VPN gateways that act as web de-tunnelling proxies, accepting HTTP connections from the client application, remove the HTTP header from the native client/server protocol and forward it to the server.
  • Remote access VPN connections that use SSL and transport all of the network protocols.

Additional security measures in VPN

There are various available methods and technologies that may help to secure VPN connections, but the specific security solutions will depend on the type of VPN that is implemented. Some of the most common security approaches for strengthening the security weaknesses of VPNs are:

Robust user and device authentication

A tunnel will always require users to authenticate themselves before allowing access to any network resource. Although most of them are compatible with the standard authentication protocols of operating systems, it is advisable to implement additional measures, as users may find themselves in an unknown environment where they could be exposed and unprotected against all kinds of threats, such as shoulder surfing, keyloggers, USB dongles, etc.

In addition to strong authentication, with strong passwords, a two-factor authentication, 2FA, such as the following, should be used:

  • Authentication with one-time password, OTP;
  • authentication by means of user certificate;
  • biometric authentication;
  • smart cards

Load testing

Given the scalability of these networks, it is easy to increase the number of users simultaneously connected through them. Therefore, it is necessary to know its maximum capacity. The ideal thing for that is to carry out tests that help to understand and to control the volume of users that can use it with a good user experience, in other words, without experiencing bottlenecks, latency, slowness or disconnections.

Obviously, tests must be carried out in simulated environments prior to being put into production. Therefore, implementing telework requires some preparation on the part of the organisation, as it can be risky if rushed.

Other aspects to be evaluated during the prototype phase are connectivity, flow protection, authentication, applications, management, logging, security of the VPN implementation and control of default settings.

Inspection of the application layer

One of the security advantages they provide is a private and encrypted connection between the remote user and the VPN gateway. The connection is private because other users between the client and gateway cannot access the information in that encrypted tunnel.

Nonetheless, this encryption also affects the network firewalls and reverse proxies, which only see an encrypted SSL connection and forward it to the gateway without inspecting it. This may make it possible, if an attacker takes control of a computer connected to the VPN, to pass through the perimeter firewalls and reach the VPN gateway without being inspected or removed.

Using SSL-to-SSL bridge firewalls that accept the client's SSL session, decrypt the communication content and perform an application layer inspection of the commands and data between the HTTP communication, and then re-encrypt it and forward it to the gateway, would make it possible to stop potential attacks that would otherwise remain hidden in the encrypted tunnel.

Protection of the client’s environment

The business environment is controlled and managed, making it more resistant to possible attacks by viruses, worms, spyware, etc. As the client VPN is not in this environment, it is much more susceptible to these attacks, especially if accessed through a personal computer lacking the corporate security measures. This could lead to the propagation of malware that could have been installed in the remote client.

There are some options in order to control this type of situation:

  • Network management and software deployment tools to apply antivirus and anti-spyware mechanisms to each terminal that connects to the network, through the virtual network.
  • VPN that can undertake an advanced inspection.
  • VPN with client verification mechanisms. These can be very different, from registry and browser checks to complete checks for specific security issues.
  • Advanced antivirus, antispyware and access control alternatives that enable the control of Internet connections, as well as the connected user’s behaviour and their information, even outside the corporate environment.

Web proxy servers in the corporate network that protect against VPN connections that violate network use policies

Because VPN client connections cannot be fully inspected by perimeter firewalls, it is possible that malware can be transmitted from the remote network to the corporate network through the tunnel. This risk is higher when access is made through a personal computer in which corporate protection measures have not been applied.

It is possible to adopt the reverse SSL, in other words, an output bridge from SSL to SSL. This bridge’s operation is slightly different from that of the input bridge, where the firewall is located at the output of the connection from the client. Because the organisation has control over its certificate infrastructure and public DNS, the advanced firewall could be made to pass through the gateway by presenting the corresponding certificate.

This is not possible in the output bridge, given that there is no such control over the servers to which internal network clients will make SSL connections, so there’s a need to be able to dynamically replace the destination to which the HTTP connection is being sent, by generating certificates with the name of the destination SSL server. This enables the inspection of outbound SSL connections and to collect the entire data flow from users that use the SSL tunnel from end to end.

 

Inspección inversa SSL

- Outgoing SSL Inspection, source: Barracuda Campus. -

Other teleworking recommendations

Once the connection has been securely established it is possible to begin teleworking. However, there is another series of necessary measures so that the activity is carried out securely. These are some:

Device control

Once the connection to the organisation’s network is secured, it is the turn of another essential element for secure teleworking, the device that will be used to access it. Unless there’s no other option, it is advisable to use corporate devices instead of personal ones. In this way, it is possible to guarantee that the security policies implemented by the organisation are complied with. Differently, accessing from a non-corporate device that does not have these security measures increases the risk.

Should someone need to use a personal computer, the organisation must provide the employee with all the necessary measures to secure the device. On the other hand, it is the employee's responsibility to implement these measures and to follow the instructions given by his or her organisation at all times, as well as to use it responsibly, following good practice and common sense. This includes, among others, using legitimate software and its latest version, using secure passwords, only connecting trusted removable devices, making regular backups, ensuring the security and physical integrity of the device, implementing anti-theft policies such as encryption or locking the computer, or not falling victim to social engineering techniques.

Access control

Remote access to information should be done by means of corporate credentials that enable identity verification, as well as making use of a second authentication factor that prevents identity theft. Following the zero-trust principle as a cornerstone, this implies that, by default, nothing is to be trusted and everything is to be checked.

Managing permissions and roles

Making use of the different existing roles in the organisation depending on the employee or the type or method of work to be carried out, assigning each employee only what is essential to undertake their activity (principle of least privilege), will avoid undue access, both to information and to tools, especially when teleworking.

Monitoring network activity

It is also advisable to monitor all corporate network activity, looking for any kind of suspicious activity, such as access attempts after hours, from questionable locations, or unidentified devices. This will control recurring failed authentication attempts, simultaneous accesses, data downloads, unauthorised resource access attempts or remote execution attempts from VPN clients, etc. All of these with the aim of detecting and taking appropriate steps against inappropriate activity.

Another useful metric will be the measure and behaviour of traffic, i.e. average use, traffic peaks, suspicious or high-volume connections, as well as traffic outside normal working hours.

Operations and maintenance

Operational processes that are particularly useful for maintaining teleworking and remote access security, and should therefore continue to be regularly undertaken, include the following:

  • Check the updates and patches of the remote access software components, and acquire, test and deploy the updates.
  • Ensure that each remote access infrastructure component (servers, gateways, authentication servers, etc.) has its clock synchronised with the same source, so that all time measurements coincide with those generated by other systems.
  • Reconfiguration of access control options when necessary, depending on possible changes in factors such as policy changes, technology changes, audit results or new security needs.
  • Analyse and document detected abnormalities within the remote access infrastructure. These abnormalities may indicate malicious activity or deviations from the policies and procedures. Abnormalities should be reported as necessary in each case.

Organisations should also conduct assessments periodically in order to confirm that the organisation's remote access policies, processes and procedures are being followed correctly. Assessment activities can be passive, such as reviewing records, or active, such as performing vulnerability scans and penetration tests.

Mobile network

Another alternative available in case of emergency and in the absence of an established secure VPN connection implementation, would be to use mobile networks provided by the organisation (e.g. using a MiFi or using the corporate mobile phone as an access point). These 4G connections are much more secure, given that the security is intrinsic to the network itself and does not depend on additional configurations.

Video conferencing

Meetings are essential for the development of the organisation’s activity. While teleworking, there are numerous audio-visual communication options available: via LAN or WAN network by local infrastructure or in the cloud, hardware terminals or software applications running from different terminals.

Modalities under infrastructure are those that operate as client-server. The local infrastructure refers to the organisation’s specific solutions, managed and stored in their own servers, while in the cloud they are those provided by a provider on a subscription basis, leaving availability, security and support in the organisation’s hands.

In both, it is important to follow the HTTPS and SSH secure connection requirements, authentication H.235, H.460 firewall and NAT traversal, as well as the following recommendations:

  • Select the most appropriate modality for each meeting, bearing in mind the needs, characteristics and participants of each.
  • Controlled access control by means of personal or group invitations.
  • Prevent possible phishing when connecting.
  • Control the elements shared between participants.
  • Log the users’ actions.

Conclusions

Remote access technologies can be very useful for organisations and their employees, as well as for their partners or suppliers. Given their nature, however, all of these technologies’ components present a higher risk, so it is imperative to protect them against threats.

Major security concerns include the lack of physical security controls, the use of unsecured networks, infected devices connecting to internal networks and the availability of internal resources for external users.