The importance of an effective VPN security policy

Users want to be able to access your network from home or the road using VPN. You want to make sure your network stays secure. Here's how a VPN Security Policy can help.

Before implementing a VPN there is a lot of work to be done. Fortunately, this article will make that work easier. Just like you don't go out and implement a new enterprise application without proper design, planning, testing, analysis, and documentation, you don't implement a new company VPN without this type of proper planning. Part of this proper planning and documentation is a VPN security policy.

What is a VPN security policy?

A VPN security policy is a policy that defines just about everything that anyone would need to know about your VPN. It defines things like who can use the VPN, what they can use it for, and what it is that keeps them from using improperly or maliciously.

What goes in your security policy?

To create a good VPN security policy, you should document the answers to the following questions. Some of these questions you can answer yourself while others will be answered in conjunction with your users.

What kind of VPN will this be?

Is this a group of remote users connecting to a central site or a site-to-site VPN between two sites? The answers to some of the following questions and the questions, in general, will be influenced by the answer to this question. If you have a group of individual users with PC's or laptops and a software VPN client, you may not have as much control as you would like. On the other hand, if you have a group of computers connected through a hardware VPN device, you have a great deal of security control over what those users can do through that device. Of course, some devices have more features and security than others.

Is split tunneling required?

Split tunneling is when a user can access BOTH the unsecured network and the secured VPN network when the VPN is connected. This is very insecure and not recommended. So, if you are in control of how this will work, you should find some way to disable split tunneling, if it is at all possible.

Will a dedicated VPN concentrator be used on the server and client sides?

It would be ideal to use a dedicated VPN hardware device on each side of the VPN tunnel but this is not always financially possible or convenient for a roaming laptop user.

Along the same lines, will you have a dedicated VPN server? It is always recommended to use a separate devices for VPN connectivity vs the firewall.

What type of security requirements will you implement on the remote users to connect to the VPN?

You want your remote users who are connecting to your central network to have the same security measures in place as the regular users in your office. Examples of security measure are:

  • Client-side Firewall with up to date rules
  • Anti-Virus software with up to date virus definition file
  • Up to date Windows or other application security patches
  • Up to date VPN software client, used to connect to the VPN
  • Many of the more featured VPN hardware servers and VPN clients can support this type of application/patch verification.

What will happen to users whose systems do not meet the security requirements?

Preferably, users' systems that do not meet the software security requirements (from the last question) will be granted access to the VPN but sent to a VPN quarantine network where all they can do is receive updates for their system. This feature is called quarantining.

Will any sort of centralized authentication mechanism be used?

The simplest way to use centralized authentication is through a RADIUS server. A RADIUS server is a software application that runs on a server that has access to all users in the domain (typically a Windows domain controller). When a user attempts connection, the VPN server, contacts the RADIUS server who authenticates that user through the Windows domain username/password. If the users' username and password are correct AND that user has "dial-in" access granted they will be allowed access to the VPN.

Once the user is authenticated, will there be any sort of user authorization and accounting system?

Authorization is allowing certain users or groups of users to certain "things". Those "things" could be networks, protocols, TCP port numbers, or servers. It could also involve only allowing access from certain machines and for certain time periods.

Accounting is the logging of, in this case, what the VPN user accesses, when they access it, and when they log off.

Will any kind of two-factor authentication be used?

The negative of allowing any user who has a valid username/password to access your network through an Internet VPN is that if a malicious attacker was able to obtain someone's username/password, they could get into your network from any where in the world. There is no guarantee that that person is really who they say they are.

With two-factor authentication, the user is assigned something that is unique to them. There are a variety of ways to do this but, many times, the user is assigned a card or keychain that has a display and keypad on it. The user types a PIN number and they are given a long, randomly changing, password. This password is used to authenticate them after they enter their username and password. If they user doesn't have the device that has their required secondary authentication password, they won't be aloe access. The most popular two-factor authentication mechanism is made by RSA's SecurID.

What level of encryption will be used?

It is not recommended to use PPTP or IPSEC56 bit for VPN connections because they have been proven to be less secure than other technologies. It is recommended to use 128-bit IPSEC (3DES) or 256-bit AES, if possible.

Would it be possible to use an SSL VPN?

The best choice for a VPN technology is called SSL-VPN. With SSL-VPN, you only allow a VPN connection to the individual IP addresses, ports, and applications that the users has access to. SSL-VPN is not, supported by all applications.

What users will be allowed access to the VPN and why? Will these users be in groups? Are there different groups for different levels of access?

This must be documented as it is a critical part of your VPN security policy. Users cannot be doled out VPN access just for asking. Accessing the VPN is a privilege and security risk. Network security administrators must protect themselves from giving the wrong user access and compromising system security.

What server IP addresses, ports, and applications will be allowed? Has this been tested with a protocol analyzer?

Most any VPN server will allow you to define what IP addresses, ports, and applications may do what on the VPN. This is there to protect your internal LAN from viruses and malicious attackers at the end of the VPN client. Once you know the IP addresses and ports, you should verify them with a protocol analyzer like Ethereal.

How do I create my security policy?

Once you have the answers to the questions above, you must decide what can be allowed and what you cannot afford to allow. Using the VPN Security Assessment template will help you make that decision.

Next, take the answers to your survey and the answers you came up with after reviewing the VPN Security Policy Vulnerability Assessment Template, and document your VPN Security Policy.

What is the importance of an effective VPN security policy?

The easiest place for viruses, worms, or malicious attackers to get into your network is your VPN. As a network administrator or security administrator, you must protect your company's critical technology assets. That is your job. Minimizing the risks on those assets and documenting what is allowed and what is not allowed is also your job. By not having an effective VPN security policy, you are risking not only your company's network assets but your job security.

Once the VPN policy is documented, you should have every new VPN user read and accept the terms of that policy.

You can quickly implement a VPN policy in your organization by downloading TechRepublic's VPN Policy. Included you'll find a risk assessment spreadsheet that will help you determine the importance of such a policy to your organization's security along with a basic policy that you can use and modify. You can purchase it from the TechRepublic Catalog or download it for free as part of your TechRepublic Pro membership.