Before implementing a VPN there is a lot of work
to be done. Fortunately, this article will make that work easier. Just like you
don’t go out and implement a new enterprise application without proper design,
planning, testing, analysis, and documentation, you don’t implement a new
company VPN without this type of proper planning. Part of this proper planning
and documentation is a VPN security policy.
What is a VPN security policy?
A VPN security policy is a policy that defines
just about everything that anyone would need to know about your VPN. It defines
things like who can use the VPN, what they can use it for, and what it is that
keeps them from using improperly or maliciously.
What goes in your security policy?
To create a good VPN security policy, you should
document the answers to the following questions. Some of these questions you
can answer yourself while others will be answered in conjunction with your
What kind of VPN will this be?
Is this a group of remote users connecting to a
central site or a site-to-site VPN between two sites? The answers to some of
the following questions and the questions, in general, will be influenced by
the answer to this question. If you have a group of individual users with PC’s
or laptops and a software VPN client, you may not have as much control as you
would like. On the other hand, if you have a group of computers connected
through a hardware VPN device, you have a great deal of security control over
what those users can do through that device. Of course, some devices have more
features and security than others.
Is split tunneling required?
Split tunneling is when a user can access BOTH the
unsecured network and the secured VPN network when the VPN is connected. This
is very insecure and not recommended. So, if you are in control of how this
will work, you should find some way to disable split tunneling, if it is at all
Will a dedicated VPN concentrator be used on the server and client sides?
It would be ideal to use a dedicated VPN hardware
device on each side of the VPN tunnel but this is not always financially
possible or convenient for a roaming laptop user.
Along the same lines, will you have a dedicated
VPN server? It is always recommended to use a separate devices for VPN connectivity vs the
What type of security requirements will you implement on the remote users
to connect to the VPN?
You want your remote users who are connecting to
your central network to have the same security measures in place as the regular
users in your office. Examples of security measure are:
- Client-side Firewall with up to date rules
- Anti-Virus software with up to date virus
- Up to date Windows or other application security
- Up to date VPN software client, used to connect to
- Many of the more featured VPN hardware servers and
VPN clients can support this type of application/patch verification.
What will happen to users whose systems do not meet the security
Preferably, users’ systems
that do not meet the software security requirements (from the last question)
will be granted access to the VPN but sent to a VPN quarantine network where
all they can do is receive updates for their system. This feature is called
Will any sort of centralized authentication mechanism be used?
The simplest way to use centralized authentication
is through a RADIUS server. A RADIUS server is a software application that runs
on a server that has access to all users in the domain (typically a Windows
domain controller). When a user attempts connection, the VPN server, contacts
the RADIUS server who authenticates that user through the Windows domain
username/password. If the users’ username and password are correct AND that
user has “dial-in” access granted they will be allowed access to the
Once the user is authenticated, will there be any sort of user
authorization and accounting system?
Authorization is allowing certain users or groups
of users to certain “things”. Those “things” could be
networks, protocols, TCP port numbers, or servers. It could also involve only
allowing access from certain machines and for certain time periods.
Accounting is the logging of, in this case, what
the VPN user accesses, when they access it, and when they log off.
Will any kind of two-factor authentication be used?
The negative of allowing any user who has a valid
username/password to access your network through an Internet VPN is that if a
malicious attacker was able to obtain someone’s username/password, they could
get into your network from any where in the world. There is no guarantee that
that person is really who they say they are.
With two-factor authentication, the user is
assigned something that is unique to them. There are a variety of ways to do
this but, many times, the user is assigned a card or keychain that has a
display and keypad on it. The user types a PIN number and they are given a
long, randomly changing, password. This password is used to authenticate them
after they enter their username and password. If they user doesn’t have the
device that has their required secondary authentication password, they won’t be
aloe access. The most popular two-factor authentication mechanism is made by RSA’s SecurID.
What level of encryption will be used?
It is not recommended to use PPTP or IPSEC56 bit
for VPN connections because they have been proven to be less secure than other
technologies. It is recommended to use 128-bit IPSEC (3DES) or 256-bit AES, if
Would it be possible to use an SSL VPN?
The best choice for a VPN technology is called
SSL-VPN. With SSL-VPN, you only allow a VPN connection to the individual IP
addresses, ports, and applications that the users has access to. SSL-VPN is
not, supported by all applications.
What users will be allowed access to the VPN and why? Will these users be
in groups? Are there different groups for different levels of access?
This must be documented as it is a critical part
of your VPN security policy. Users cannot be doled out VPN access just for
asking. Accessing the VPN is a privilege and security risk. Network security
administrators must protect themselves from giving the wrong user access and
compromising system security.
What server IP addresses, ports, and applications will be allowed? Has this
been tested with a protocol analyzer?
Most any VPN server will allow you to define what
IP addresses, ports, and applications may do what on the VPN. This is there to
protect your internal LAN from viruses and malicious attackers at the end of
the VPN client. Once you know the IP addresses and ports, you should verify
them with a protocol analyzer like Ethereal.
How do I create my security policy?
have the answers to the questions above, you must decide what can be allowed
and what you cannot afford to allow. Using the VPN Security Assessment template
will help you make that decision.
take the answers to your survey and the answers you came up with after
reviewing the VPN Security Policy Vulnerability Assessment Template, and
document your VPN Security Policy.
What is the importance of an effective VPN security policy?
easiest place for viruses, worms, or malicious attackers to get into your
network is your VPN. As a network administrator or security administrator, you
must protect your company’s critical technology assets. That is your job.
Minimizing the risks on those assets and documenting what is allowed and what
is not allowed is also your job. By not having an effective VPN security
policy, you are risking not only your company’s network assets but your job
VPN policy is documented, you should have every new VPN user read and accept
the terms of that policy.
You can quickly implement a VPN policy in your organization by
downloading TechRepublic’s VPN Policy. Included you’ll
find a risk assessment spreadsheet that will help you determine the
importance of such a policy to your organization’s security along with a
basic policy that you can use and modify. You can purchase it from the
TechRepublic Catalog or download it for free as part of your
TechRepublic Pro membership.