Nmedia - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

What's the best way to safely preconfigure VPN access?

Expert Julian Weinberger says limiting user VPN access can help enterprises enforce security and BYOD policies and reduce risk at the same time.

There's a reason that the adage, "The best defense is a good offense," has held up over time. It's applicable in many contexts and disciplines, from the military to the law to sports and more. But that doesn't mean it's universally true, especially when it comes to VPN access.

As today's constantly under-siege network administrators know all too well, there are too many threats lurking -- and too many potential vulnerabilities within their organizations -- to anticipate and attack every single threat before it happens.

This is especially true given that the bring your own device (BYOD) trend and remote work are on the rise, and network administrators are losing immediate oversight over potentially harmful employee behavior. Staying on the offensive at all times is not a sustainable strategy, and it may not be all that successful anyway, even in the short term.

So, what is the best defensive strategy for a network administrator concerned about securing remote VPN access? The key is to preconfigure and lock VPN parameters in order to prevent employees from having the option to change settings. Taking these proactive steps up front will save network administrators from chasing after rogue employees and re-enforcing a policy every time it's broken.

The case for remote work

Whenever the topic of BYOD comes up, its two primary benefits are often mentioned in the next breath: the convenience (for employees) and the cost savings (for employers). That's why, by 2018, BYOD is expected to cross an important benchmark -- there will be twice as many employee-owned devices used for business purposes as there will be enterprise-owned devices.

Unlike in the past, today's employees are accessing corporate networks remotely, from countless potentially vulnerable access points and on mobile devices that may not be completely secure, making the job of locking down the network even more of a challenge for IT departments. It isn't enough to deploy a VPN, tell users, "Here is our security policy," and then just expect them to comply.

Limit user behavior to reduce risk

Without the ability for administrators to preconfigure VPNs and lock parameters, users can modify VPN access configurations and settings, which usually ends up -- not surprisingly -- causing harm to the network, whether it's through a long-term vulnerability an administrator doesn't even know about, or a direct, immediate attack.

Why wouldn't network administrators preconfigure VPNs and lock parameters? Often, network administrators are so eager to deploy the VPN client -- to allow users to connect remotely to the corporate network -- that they fail to give sufficient thought to the consequences of not configuring the VPN in a way that supports the security policy. They may not even know that preconfiguration and locking parameters -- settings that a user cannot change -- are options.

Another shortfall facing network administrators is choosing a VPN client that doesn't provide the option to preconfigure and lock parameters. Or, they might choose a VPN product that doesn't support the remote access policies they already have in place. As an example, if a company policy says all Internet traffic must be routed through a secure VPN, then the platform must have the functionality and flexibility to support this. 

Next Steps

For BYOD security risks, which VPN is best?

Securing mobile devices

Site-to-site versus client to server VPN connection

This was last published in April 2015

Dig Deeper on Network Security Monitoring