This article will discuss what is a VPN? Why it’s necessary? What are some good features to have in a VPN? How do you further lockdown your VPN?
What is a VPN? A VPN is a virtual private network whereby you can tunnel or create a virtual private communications channel tunneled over the Internet. It is a way to secure communications over the world wide web, so that you are not completely open and have a secure channel. In short it is a Point to Point connection between a user’s computer and the company’s servers/domain environment.
Why is it necessary? Any corporate network should have a VPN to protect company assets. Remote users can connect virtually from the outside into your corporate network and you are not exposing the company to outside attacks from Network Traffic. It is considered a necessity in most corporate network environments.
What are some good feature to have?
Support for strong authentication, strong encryption algorithms, support for anti-virus software and intrusion detection and prevention tools, strong default security for administration and maintenance ports, digital certificate support, logging and auditing support and the ability to assign addresses to clients on a private network while ensuring all addresses are kept private. A kill switch is also very useful, if for example the VPN connection is lost the Internet Connection is dropped and the applications used are shutdown as a precaution.
How to further lockdown the VPN? Most Layer 7/Next Generation/Application Level Firewalls such as Palo Alto, Fortinet, and Checkpoint have a built in VPN Solution. The advantage of implementing a firewall based VPN is that you can force other security features into the solution. For example you can great a gateway where the users remote machine is scanned to see if it has a software firewall, up to date antivirus with recent scans, up to date Windows and Microsoft Patches on the Operating System and if the machine fails any of these checks they can be blocked from connecting to the VPN Tunnel.
Another way to improve VPN security is through perfect forward secrecy (PFS). If PFS is used, any historical vpn credentials cannot be captured in the event that the long-term secret keys or passwords are compromised.
With PFS, each VPN session uses a different encryption key combination, that way in the worst case scenario where attackers were to compromise one key they cannot hack or intercept the other VPN connections/sessions. L2 Tunneling Protocol with IPSEC using IKEv2 for secure key exchange is is considered the most secure type of implementation. IKEv2 natively supports PFS.