Sécurité IT en toute simplicité

Using a VPN? Here are some tips

Virtual Private Networks. I bet you have heard this hundreds of times and even more with the COVID-19 situation. The idea is excellent. It allows you to work from anywhere as long as you have an internet connection. And everyone is happy until VPN stops working. And I bet that lately, some companies have had some trouble with it.

The goal of this article is not to sell you the idea of using a VPN. At this stage, you are already using it. The objective is to give you some hints about the sizing, authentication, and general rules that will help you stay secure and reduce the headaches when the VPN goes down.

But first some light theory.

Basic VPN diagram

User Authentication

Repeat after me:
Multi-Factor Authentication is your friend.
Multi-Factor Authentication is your friend.
Keep going, because it is your friend, the one that will prevent you stay alone during Christmas. Or maybe not that far, but you get the idea.

Just in case you have not heard, the latest Marriott data leakage comes because the VPN user authentication did not have MFA in place. And it is so easy to use that I have a hard time understanding why it is not widely used. I agree it adds a step more to allow the users to access the systems, but it is a little sacrifice to do for a greater good. Besides, you have plenty of options:

  • SMS: not recommended, but better than nothing
  • Authenticator app: Google Authenticator, Microsoft Authenticator, Authy, Duo, and a lot more. Easy to deploy and to maintain, I would personally recommend Authy or 1Password since it allows having several devices configured with the same account
  • Physical token: Yubikey, and any FIDO2 compatible key: Token2 keys are a good option. The main disadvantage is the logistics and maintenance of the physical keys (lost items, reactivations, et cetera)

VPN Bandwidth sizing

Scenarios are different here, depending on the type of company and the services you provide. That said, you have to make sure you have the appropriate sizing, impacts if you do not are huge, but different. If you oversized it, you would not have any problem during heavy usage, that is sure. But the CFO might have a different view. On the contrary, making sure the CFO is happy with cost control could make your users miserable during a substantial usage period.

Again, we have a solution for that: split tunneling, which allows you to specify when user traffic should go through the VPN and when it should go through the user’s internet connection. Something like this:

VPN with split tunneling

What we do is all traffic to public web applications like Office 365, Gmail, Dropbox, is not sent through the VPN. We only go through the VPN with internal Enterprise applications, reducing bandwidth consumption and improving connection stability as well as performance. And yes, the CFO will be happy.

Monitoring

The last item I would like to discuss is monitoring, both performance and security. The first one will help up prevent VPN failures and service disruption. The second will allow us to have some visibility regarding user activity. Early action to do is to send all the connection logs to a SIEM (Security Information and Event Management) tool. Once there, we could have different correlation rules that would trigger an alert, for instance, when a user is connecting to the VPN from one country and a minute later from another place 500 kilometers away.

SIEM correlation rules are to have a dedicated post soon, the topic is so vast, that it would increase the time to read this blog post way too much.

Conclusion

As you can see, Virtual Private Networks are very useful but tricky if you miss some key aspects. I have read that with the COVID-19 situation, and most of the companies having employees working from home has caused lots of connectivity issues, most of which could have been avoided with MFA User authentication, correct sizing, and monitoring. I would love to know your thoughts in the comments.

Stay safe!

Credits | First photo in the post by Joseph Gruenthal on Unsplash

Laissez un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Commentaire sur “Using a VPN? Here are some tips”