alphaspirit - Fotolia

Manage Learn to apply best practices and optimize your operations.

How do you create a secure VPN tunnel?

Expert Julian Weinberger says that locking your VPN parameters can help secure your VPN tunnel by blocking users from changing configurations.

When users are able to access a local area or wide area network using the same physical connection used to access the Internet or other public networks, security issues can occur if you don't know what information is going through and across your VPN. Take split tunneling. If users are permitted to edit the VPN configuration, they could use split tunneling to access external websites directly instead of going through a secure VPN tunnel, perhaps as a means to speed up Internet access. In this scenario, employees have created potential network vulnerabilities.

Preconfiguring VPN clients and applying parameter locks that a user cannot change enables enterprises to require full tunneling. This eliminates the threat of split tunneling by requiring that all traffic be funneled through the VPN and firewall, thus ensuring that whenever employees connect to the network, they're unable to access forbidden or unsecure sources.

When network administrators preconfigure their VPNs with the highest security settings, the benefits are immediate. Since all network traffic funnels through the secure VPN tunnel, the threat of malicious attacks are minimized and hackers won't be able to snoop on data in transit.

Centrally locking parameters reduces the complexity of configuration possibilities by only showing settings that are relevant for a user's work environment. Also, when parameters are set up to prevent a user from changing them, misconfigurations and undesired connection setups are avoided. But, preconfiguration and locked parameters produce another benefit as well -- greater productivity and more efficient deployment of IT resources. Network administrators won't be taken away from their other critical tasks to fix a VPN configuration.

Risk posed by end devices can also be limited by network location awareness that enables computers to automatically recognize secure and unsecure networks and change security settings accordingly, such as firewall rules. To provide further security, network administrators can centrally set parameter locks to prevent users from bypassing the security policy, such as deactivating, deleting or changing firewall filter rules. With location awareness, even security-sensitive locations like public hotspots can serve as access points to the company network.

Protecting against threats requires a firm defense

To stay on the offensive against threats to network security and secure remote access, IT departments must see the value of taking a defense-first approach. Preconfiguring and locking VPN client parameters are simple preventative measures that minimize the threat of malicious attackers, proving that for network administrators, at least, the best defense is really just a good defense. 

Next Steps

How to prevent VPN security risks for remote employees

What to consider when choosing a VPN traffic monitoring tool

Six steps to securing your VPN implementation

Is a VPN the most secure remote access method?

This was last published in April 2015

Dig Deeper on Network Security Monitoring