Simple Rules for Implementing VPN for the Remote Workforce
When implementing VPN for your new remote workforce, it is critically important to ensure that users logging on to the VPN are verified to a high degree of assurance, devices are validated and the rights and entitlements are intelligently limited in line with the principle of least privilege.
In the wake of the COVID-19 pandemic, most, if not all, employers and governments in the US and around the world have asked employees and citizens to practice social distancing and work from home to stem the spread of this contagion. While the state of our communications and internet infrastructure is very scalable and robust (here’s a short video clip of AT&T CEO addressing this), the question about its security, on the other hand, is not that straightforward to answer. Here are some of the security risks organizations face as they try to make their employees as productive at home as when they are in the office:
- Malicious actors have been leveraging the hype and fear connected with the growing COVID-19 pandemic as a tool to steal passwords and data. More about that here.
- Allowing employees to access critical business systems and data from machines and networks you don’t manage, or trust means the risk grows exponentially. Here’s a Forbes article to expand on that and also double clicks into how some of these risks can be addressed by adopting the principles of Zero Trust.
- Organizations who have been relying too much on a “perimeter” based security are getting exposed to security challenges as they are now confronted with this new reality where their network and security teams have to support a remote workforce. The following siliconangle.com article make a strong case for such organizations to use the current situation to evolve their security architecture.
- According to a study OpenVPN conducted in 2019, 24% of companies haven’t updated their remote work security policy in over a year, and 44% say their IT department did not lead the remote work security policy plan.
Now let’s look into Virtual Private Networks (VPNs), one of the most time-tested, albeit a bit risky, solution out there for secure remote access. I call it risky because, if not properly maintained and implemented, attackers might leverage it to get the keys to the kingdom. Ensuring that the VPN stack is properly patched, using the right encryption, and continuously monitoring traffic patterns and usage are no doubt very important. But even more important is ensuring that users logging on to the VPN are verified to a high degree of assurance (Our blog on NIST 800-63-b), the devices are validated and the rights and entitlements are intelligently limited in line with the principle of least privilege...isn’t this sounding like the founding principles of Zero Trust Security?
Now let’s see the best practices when it comes to implementing VPN in context of these three pillars of Zero Trust Security.
Rule # 1: Verifying Users: Make sure the VPN solution supports Multi-factor Authentication (MFA) through RADIUS and/or SAML.
Most VPN solutions support different types of authentication mechanisms, depending on the type of VPN (site-to-site, remote user). One type that supports MFA is the use of RADIUS in which the VPN server becomes a RADIUS client to a RADIUS server, which in turn is able to perform a Multi-factor Authentication. For e.g. Idaptive’s connector software can serve as a RADIUS server as well as an AD proxy to perform the AD authentication as well as present a second factor in the form of a Mobile Authenticator, OATH OTP, Email, for the 2nd factor.
The following figure also shows the various steps involved in the RADIUS based authentication between the RADIUS client and Idaptive Connector, which serves are the RADIUS server (among other things).
Another way to integrate a VPN with an external IDP for authentication is through SAML. This is not supported by all the VPN vendors out there, but if supported, then there is no need to install a desktop VPN client on the endpoints. Below is an illustration on how this works with Palo Alto Network’s Global Protect solution.
So, as you are looking for a VPN solution ask yourself the questions:
- Does it support MFA?
- Does the solution require a VPN client to be installed on the endpoints? If so, which authentication mechanisms is it able to support? For example, some mechanisms are pushed directly to the Authentication Provider (AP) for verification from the mechanism, and some require the end-user to interact with the VPN client to enter a code (for e.g. OATH OTP code), which is then sent to the AP for verification.
- Does the solution support a client-less VPN authentication mechanism such as SAML? This is especially convenient since then the IT administrator does not have to ensure that each client is installed with the right version of the client and thus is able to embrace a wider range of endpoints in a secure fashion. Some clients (like for e.g Cisco’s Anyconnect) do have support for embedded browsers, which can then support SAML.
Rule # 2: Limiting Access: Make sure the RADIUS server is able work with specific attributes to limit access and authorization.
The vendor-specific attributes are necessary if you want to give users permission for more than one type of access. For e.g. based on the user role, the user may be granted a particular privilege level thereby limiting access. The VSAs may be used in combination with RADIUS-defined attributes. For example, this link shows Ciscos's VSAs.
Rule # 3: Verifying Users: The authentication provider (Idaptive in our case) solution is able to support a heterogenous VPN environment.
Many a time an organization may have multiple VPN vendors with a mix of protocol support for authentication and access control. The RADIUS server/IDP must be able to support different authentication profiles, for instance, for the different VPN servers (RADIUS clients). For e.g. if more sensitive types of resources are accessed from one VPN server then an authentication profile with stronger authentication can be applied vs that for a different VPN server fronting less critical resources.
Rule # 4: Intelligently Limit Access: IDP solution is able to offer an adaptive, risk aware, solution.
Even for a single VPN server, the authentication provider, must be able to provide a way to detect user behavioral anomalies and present different challenges based on user’s risk. This is especially critical in the current scenario where most, if not all, workers are going to be remote for a significant amount of time.
Rule #5: Validating Device: The endpoint itself is protected by MFA and Conditional Access.
With users being remote and possibly also bringing their own devices (BYOD), it will be critical to be able to only grant access to those devices with users who were verified by MFA as part of logging into the device itself.
For more information on how Idaptive can help with your VPN implementation, please visit:
Learn more about how Admins can set up Idaptive's MFA for VPN by visiting Idaptive Academy and checking out these videos: