VPN security: What you need to know to protect your company

How secure are VPN connections? VPN expert John Pescatore answers your inquiries on centralized virus control, the threat of hackers, and PKI.

VPN technology is being billed as the security answer for remote users and offices. But when we asked you what you wanted to know about this technology, we learned security was your top concern.

Among the issues you raised: Are VPNs really secure? And if so, what’s all this about Microsoft being hacked?

We discussed your questions with John Pescatore, a Gartner analyst who specializes in VPN security. In this article, he explains the security issues you should consider when implementing a VPN solution.
In the first installment, Gartner security analyst John Pescatore discussed how VPNs work and how businesses can use them. He also examined reliability issues and answered questions from several TechRepublic members.
TechRepublic: How secure are VPN connections?
Pescatore: There are two aspects. One is how secure is the encryption. With the newer standards today using 128-bit encryption, they’re very secure. VPNs would take thousands of computers thousands of days to break through.
The second aspect is how sure you are that you know whom you’re talking to. How strong is the authentication of the person on the other end of the connection? That’s the part that’s only as strong as your key management approach. If you give out keys to everybody and don’t do it very securely and a bad guy can get one of the keys, he can decrypt all the traffic on the VPN.

Sponsored by
NetScreen is the exclusive sponsor of TechRepublic's special series on VPNs and Firewalls. For more information, check out TechRepublic's VPN and Firewall Center, or visit NetScreen's website.

NetScreen is the exclusive sponsor of TechRepublic's special series on VPNs and Firewalls. For more information, check out TechRepublic's VPN and Firewall Center, or visit NetScreen's website.

TechRepublic: Does all VPN technology use PKI?
Pescatore: It doesn’t have to. Virtual private networks do use encryption, but they don’t have to use public keys. One way to do it is to give everybody who’s going to participate in the VPN the same secret key to load into their PC. That way, you don’t need PKI. Without using PKI, you have to do what’s called shared secret, where everybody shares the same secret key. That’s not always easy. Somehow, you’ve got to securely get this key to say, 50 people. What happens if one of them loses the key and you have to get everybody all new keys?
PKI allows you to manage the keys. It gives you the mechanisms to distribute the keys securely online and to replace just one user’s key if it’s compromised. So you can do without PKI, but if you have lots of users and the users change a lot, PKI is going to provide a much more effective management approach to managing the security of a VPN.



TechRepublic: Are some solutions more secure than others?
Pescatore: Typically, the security of the WAN replacement type VPN boxes is pretty much identical. When you start looking at the remote access VPNs, that’s where you see differences in security. [For a description of these VPN types, see the first article in this series, “The how, what, and when of VPN: You asked the questions, we found the answers.”]
I mentioned that PKI is one way to make them more secure; better key management. On authentication, how do you know who’s on each end? The organizations who require some form of smart card or hardware token for users to connect to the VPN are more secure.
For many years, Gartner has recommended to clients that allow dial-up remote access that they use things like secure ID cards so they have strong authentication of whose dialing in; it can’t just be some hacker who guessed the password. He’d have to have one of these cards as well as the password.
Doing the same thing on a remote access VPN makes it much more secure. Strong authentication: smart cards, hardware tokens. And the second thing is that [the VPN solution] is using at least 128-bit encryption.
The third measure is really not an issue today since most products do this, but companies should be using standard protocols, and the standard today for VPNs is IPSec. [For more on how IPSec works, see John McCormick’s column “IPSec and L2TP lead the Windows 2000 security lineup.”]

TechRepublic: Have there been incidents of VPNs being hacked?
Pescatore: No. Well, of somebody breaking the encryption other than academic exercises, no. Of somebody guessing the password and connecting, yes.
Another issue we warn people about is a remote access VPN where I’m on my PC, I connect to the Internet, then I start up this VPN that connects to Gartner over the Internet. What if—while I’m connected to Gartner over this nice secure VPN connection—somebody over the Internet could hack into my PC and then come through the VPN tunnel right into Gartner? We tell our clients if you’re going to allow computers to connect to the Internet directly and to run VPNs, you should be looking at personal firewalls.

TechRepublic: Is that what happened to Microsoft?
Pescatore: It was slightly different at Microsoft; they hacked into the employee’s home PC while it was directly connected to the Internet, when the employee’s home PC was serving the Internet. And then, the employee started up the VPN and connected in and infected lots of other things at Microsoft. So that wasn’t really what happened to Microsoft, but it has happened to other clients we’re aware of.
TechRepublic is featuring a series of articles on this topic in every Republic this month. If you'd like more information on security or productivity issues relating to VPNs, click here.
TechRepublic: Can companies control viruses through a central server when using VPN?
Pescatore: The typical way that’s done is that the VPN server on the enterprise side is outside the antiviral protection, so anything coming off the VPN, any files or e-mail, is still going to go through server-side antiviral scanning.

TechRepublic: Is that effective?
Pescatore: Ninety percent of viruses come through e-mail. So you still have your antiviral scanning on your e-mail gateway, and that’s the most effective approach. All the decryption of the VPN should be done ahead of the e-mail server anyway. It’s a case of where on your network do you place your VPN server. You should place it so that it decrypts and then provides the unencrypted traffic to the virus-scanning gateway.

TechRepublic: TechRepublic member Guy Budding said his company uses the VPN, but only for e-mail. They want to expand to other applications but are concerned about security and bandwidth. The company also wants to be able to use single sign-on as well. He considered using PKI but found it too complex. He wondered what his options are for security.
Pescatore: First off, the security would be fine if they’re using strong IPSec with 128-bit encryption. Really, for VPNs, there’s no way to do single sign-on without doing one of two things. For VPNs, you need to go to PKI or you need to go to hardware tokens, like SecurID cards from RSA Security, and that can give you what we would call reduced sign-on. It’ll give you consolidated sign-on to many of your applications, but probably not all of them.
Before you decide if you need a VPN or need to expand a remote access VPN, look at what applications your users will be running. Think of the typical corporate user’s PC or laptop. To connect to the office, what do users need to be able to do? They need to do e-mail. They need to maybe access the intranet, maybe some internal systems. Maybe they need to do Lotus Notes; maybe they need to do a couple of other applications. If the users have a number of applications, VPNs are the way to go.
But if it turns out your users are only using a Web browser—to get the e-mail they use the Outlook Web access client or the iNotes browser client, and they use the browser to get to the intranet—you don’t need a VPN. You can just use the security mechanism built into the Web browser and the Web server, in which case there are a number of single sign-on solutions. We call them extranet access management products, from companies like Netegrity, Securant, Oblix, OpenNetwork Technologies, and others, and they provide you single sign-on for all browser-based applications.
If you use VPNs, will you put firewalls on all employees’ home PCs or work laptops? Tell us whether you think this is a practical solution by posting below.

Editor's Picks