Let’s cut straight to the chase. In this blog, we are going to look at two VPN best practices to make sure you are secure in your use of these network tools. Your VPN is the gateway to your internal network, allowing anyone on the Internet who is able to authenticate to directly access your internal network. As we also know, organizations typically spend 90% of their time and resources securing their perimeter, however, once an attacker has access to the internal network they are able to elevate their permissions rather easily. Naturally, this makes your VPN one of your most critical devices to secure.
1. Multi-Factor Authentication
As we just discussed, gaining access to your VPN is one of the top targets for external attackers. As such, we need to ensure that it is locked down with multi-factor authentication (MFA). Without MFA in place, this login interface is vulnerable to various password attacks. This can be anything from a brute force to a password spraying attack, the more likely technique. Further, if an attacker is able to get a valid set of credentials elsewhere (say through social engineering or a previous data breach), they can use that password in a credential stuffing attack to gain access to your internal network.
Generally speaking, MFA is easy to implement and can be done cheaply or even for free. Some more sophisticated solutions for large organizations, such as Duo, do have a bigger price tag associated with them. The more likely hurdle you will have to overcome to get this implemented will be organizational buy-in. At most organizations we do testing for, the executives feel that having employees type in a password and then click a button on their phone in order to access the network is too time-consuming or inconvenient. Typically though, when they see a penetration testing report showing how we used that VPN to gain access to their sensitive information and files, they come around.
2. Full Tunnel
The second of the VPN best practices we are going to cover is to ensure your VPN is running in full tunnel. There are two methods of operation for a VPN: split tunnel and full tunnel. In split tunnel, which is used to reduce the amount of bandwidth you consume, all traffic destined for your internal network will travel over that encrypted tunnel to your network, while all other traffic (Facebook or surfing the web, for example) while travel over the local network directly to the Internet. The problem with this is that an attacker may be able to exploit the computer via the traffic going out over the local network, and then use that computer as a bridge to jump to your corporate network. This can be accomplished using something like NBNS/LLMNR spoofing. Additionally, your employees may be lured into a false sense of security with a split tunnel configuration, thinking they are protected by the encrypted VPN tunnel when they are browsing. This may lead them to conduct sensitive business, like banking on the free WiFi at an airport or a Starbucks, which they wouldn’t normally do due to the risk if they weren’t protected by a VPN. Because of this, it is best if all of your employee traffic is being securely routed through your VPN tunnel. This can be accomplished through setting your VPN to use full tunnel.
In summary, we covered two VPN best practices you should consider to ensure your organization is operating as securely as possible. The first is to realize that this device is a high-value target for an attacker as it allows direct access to the internal network. As such, it is imperative to protect the authentication process with multi-factor authentication. Additionally, use full tunnel to ensure that all traffic originating from employee computers connected to the VPN is protected so an attacker cannot attack employee laptops and use them as a bridge to your internal network. This will also help to protect your employees while they travel and may need to connect to open networks.