There are two groundswells combining their peaks that are driving the rise in Virtual Private Networks (VPNs) for corporate access. The first is the plethora of new devices, iPhones and iPads in particular. This is called the consumerization of IT: employees purchasing and maintaining their own devices and using them to connect to corporate IT assets. The second is the rise in cloud services that are accessed by these mobile devices. Securely connecting the devices to the enterprise and critical cloud apps has given new life to the VPN space.
Virtual Private Networks come in two flavors, SSL and IPSEC. SSL VPNs have risen in popularity because they usually do not require the installation and maintenance of separate certificates for encryption, the user’s browser or client software already has that. IPSec while offering better control and arguably better security requires a special VPN client with a signed digital certificate, so the deployment and management responsibilities are much higher.
SSL VPNs allow any authorized user to connect to a web based application behind the corporate firewall, most commonly for email access (Outlook Web Access, or Microsoft SharePoint). The traffic is encrypted from the browser to the SSL gateway. Behind the gateway the traffic crosses the corporate network unencrypted.
IPSec VPNs are encrypted network tunnels. They are usually established between the end point device clients and a VPN concentrator at headquarters but additional capability is possible including tunneling all the through to a separate network device or even server within the organization.
The most daunting challenge presented by any VPN is that the corporate network has been extended to end point devices that are not completely controlled by IT staff. This has led to several vulnerabilities.
- End point compromise. There are millions of devices including those used exclusively for professional purposes that are infected with Remote Access Trojans (RATs). This type of malware gives an attacker complete control over a PC, laptop, or even smart phone. In other words, whatever the employee can do, the attacker can do.
- Employee abuse. Insiders have been responsible for some of the most damaging breaches in recent history. Without the fear of a supervisor looking over their shoulder an insider may feel more comfortable exploring corporate resources and absconding with intellectual property from the comfort of their home if they are connected via VPN.
- Enrollment and revocation pose a particular problem for granting access to corporate networks from remote endpoints. A user that has been granted access might still be able to log back in to the network even after they have been terminated and their local access privileges revoked.
- A lost or stolen device may be used to access the corporate network.
- Increased latency and slow performance from mobile devices can be caused by the encryption overhead and connection establishment.
Fighting endpoint compromise has been a challenge for VPN access. The most common solution today is to 1. Require IPSec VPNs and then have the client software enforce a policy that includes having a firewall turned on the remote device as well as up-to-date anti-malware software. While today this is a step in the right direction there are long term issues with ever relying on a client to report its own state. Sophisticated attackers will just report the expected state (spoofing) even though they have installed a RAT and turned off the local firewall.
Sandboxing is a powerful way to limit the control an employer extends to employee devices. The client software is segregated from the rest of the OS on the mobile device (or home PC) so that malware residing on that device has no visibility into the corporate data that the client sees via the VPN.
Because the access granted by a VPN allows access to critical corporate data it is important to use strong authentication, usually defined as two-factor which in turn is most commonly “something you know” (your user ID/password) and “something you have.” Many organizations rely on two factor authentication to accomplish this. A separate one-time-password token is used to initiate the authentication to establish a VPN.
End user abuse of corporate data must be addressed with monitoring. A policy should be well publicized that their activity is monitored and technology solutions that connect application and network usage to employee identities should be deployed.
Using the mobile device itself as the “something you have” is becoming a common practice for authentication in general. It is always with you and the authentication service can communicate with it “out of band” – over the cell network instead of the Internet. Incorporating the device identity into the VPN access strategy accomplishes this. The SIM card on a mobile device, or the Trusted Platform Module – a special chip on most Windows platforms, can uniquely identify the device. In this way stolen VPN credentials (digital certificates) cannot be used unless the device is also stolen. Luckily, end users know and report stolen laptops, smart phones, and tablets so the window of exposure is short and the VPN management system can be used to revoke that device’s access privileges.
VPNs, either via SSL or IPSec, are an enabling technology that extends the corporate network to mobile users and protects connections to cloud applications. Robust VPN technology that can handle peak access loads is easy to manage, and is light weight enough to avoid adding to much latency, will enhance productivity while maintaining a secure computing environment.