Do's and Don'ts When Providing Remote Workers With VPNs

By | | Categories: Security, remote work

Businesses of all sizes are now having to outfit their employees with remote connectivity solutions. The most commonly used solution for remote access back to a centralized network is through the use of a VPN.

How you choose to set up and configure that VPN is very important in determining how secure that VPN will be. So, today I’m here to help you make sure that you are setting everything up in the most secure way possible.

Choosing a VPN Solution

You’ll have a couple of options when selecting your VPN solution if you haven’t done so already. The first question you’ll have to ask yourself is if you want to go with a hardware or software-based VPN.

To help you make that determination, you can review our article that breaks down the differences and helps point you to situations where one might be preferable to the other.

Normally, companies that provide their employees with VPNs to use when working from home have the benefit of being able to have their centralized IT support teams, or outsourced IT provider, configure and install the VPN to ensure it works properly with the devices and operating systems that employees will be using for remote work. 

The current situation with COVID-19 has disrupted that by preventing in-person IT support from taking place in most instances. For this reason, it’s worth considering purchasing hardware VPNs for employees, particularly if they'll be using their own devices. 

The benefits that set Attila’s hardware-based VPN apart from software VPNs include:

  • No software is required for end user devices. This makes it very simple to connect both employer-provided devices and personal devices alike.
  • Centralized maintenance and management is much less involved. For the most part, once initial installation and setup of the server-side software is complete (usually in as little as 10 minutes), there isn’t much to worry about.
  • No software compatibility concerns. No software to install means no concerns about device operating systems, patches, updates or application versions.
  • Firewalling and isolation. The end user devices connected through our GoSilent Cube never actually touch the networks they connect to, and are completely protected (and hidden) from them.
  • Smaller attack surface. Because the end user device is completely obfuscated from the network, the applications and operating system (OS) on that device no longer offer an attack surface. The new attack surface would be GoSilent’s purpose built firmware, which has a much smaller footprint than any traditional OS.
  • Lower risk of “VPN hijacking.” Because the end user device is completely obfuscated from the network, it is much more difficult to steal VPN credentials from the device.
  • Greater control over where traffic is sent. A hardware-based VPN can be configured to only allow traffic to flow to a single endpoint.
  • Potential to connect multiple devices. With GoSilent, it is possible to use it as a Wi-Fi hotspot and protect multiple end user devices (like a mobile phone, laptop and tablet) all at the same time.

Setting your VPN up properly

Whether you are in the middle of a pandemic, or just allowing remote work for business-as-usual circumstances, you should make sure your VPN is set up to keep your network and data as secure as possible.

Regardless of whether you choose to implement a software or hardware-based VPN, there are a few important things to always keep in mind when configuring your solution.

Enable multi-factor authentication

Ideally, you’ll want to choose a solution that allows for multi-factor authentication. Most VPN solutions on the market today will provide this out of the box.

Two-Factor Authentication (2FA) adds an additional layer of security to login entry points by providing a second proof point, beyond just knowing a password, that you are who you say you are. 

This second factor can range from a simple temporary code sent to a mobile device, to a biometric identifier (like a fingerprint). You’ll want to have this set up for any application or device that handles or transmits sensitive data for your organization.

Control VPN traffic

Your VPN should be set up to automatically connect when an internet connection is detected. This prevents any traffic from accidentally entering the open internet.

Most VPNs should allow you to disable split tunneling to ensure all VPN traffic goes through the corporate network. This reduces the chances of misconfiguration where corporate traffic accidentally traverses over the open internet, exposing it to compromise by malicious actors. 

If your corporate network can’t handle all the VPN traffic (due to bandwidth or VPN server throughput), you may want to look into cloud-based zero trust solutions like Zscaler.

Keep software up to date

If you choose to use a software-based VPN, you’ll need to ensure that not only is your VPN software up to date, but all applications and operating systems on the end user device are up to date as well.

Because the entire device is visible to the network when using a software-based VPN, any lapse in security updates or patches creates an attack surface through which the VPN, and ultimately the corporate network, could be compromised.

Use appropriate cryptography standards

At minimum, your VPN should use AES256 and SHA256 for encrypting data sent across the VPN. If your solution employs RSA cryptography, make sure it’s at least RSA 3072.

Cloud data

Keep in mind that a VPN won’t do much to protect your data if it is in the cloud, especially a Software as a Service (SaaS) solution. Cloud-based systems will each have their own level of security standards to be aware of.

VPN traffic is meant to protect information going back and forth between a centralized network and remote endpoint, rather than data stored in a cloud-based system.

Set user expectations

First and foremost, make sure your users have been properly trained on how to use your selected VPN solution. The more training that is required, the more likely that people will make mistakes. So, employing a simple, easy-to-use solution will significantly reduce the risk of user error.

Set clear expectations with your users on VPN performance, whether it’s “it will take X minutes to connect” or “it might be slower during peak hours” if budgets are constrained and a more performant VPN server is not an option. This should help to reduce frustration and will prevent unnecessary support calls.

Limit access levels

Follow the principle of least privilege where you limit access rights for users to the bare minimum they need to perform their work.

Create user groups and organize users by role to make this easier. Create access controls or firewall rules to limit the data or network components users can access as their role necessitates. 

Limit overall VPN access

If you know users will only access the VPN during certain hours, configure the VPN server to only allow access from those users during those hours.

If the VPN server is not on, there is no way for someone to misuse it or access the network that shouldn’t be able to.

Final thoughts

Finding a way to balance convenience and hyperconnected access with security is always a tight line to walk, but it is absolutely possible to satisfy both needs simultaneously.

Learn more about how to set your organization up for secure remote work in an era of COVID-19 and beyond with our full guide.

Click here to read the secure remote work guide

subscribe_to_blog

Subscribe me to: