Nmedia - Fotolia
There's a reason that the adage, "The best defense is a good offense," has held up over time. It's applicable in many contexts and disciplines, from the military to the law to sports and more. But that doesn't mean it's universally true, especially when it comes to VPN access.
As today's constantly under-siege network administrators know all too well, there are too many threats lurking -- and too many potential vulnerabilities within their organizations -- to anticipate and attack every single threat before it happens.
This is especially true given that the bring your own device (BYOD) trend and remote work are on the rise, and network administrators are losing immediate oversight over potentially harmful employee behavior. Staying on the offensive at all times is not a sustainable strategy, and it may not be all that successful anyway, even in the short term.
So, what is the best defensive strategy for a network administrator concerned about securing remote VPN access? The key is to preconfigure and lock VPN parameters in order to prevent employees from having the option to change settings. Taking these proactive steps up front will save network administrators from chasing after rogue employees and re-enforcing a policy every time it's broken.
The case for remote work
Whenever the topic of BYOD comes up, its two primary benefits are often mentioned in the next breath: the convenience (for employees) and the cost savings (for employers). That's why, by 2018, BYOD is expected to cross an important benchmark -- there will be twice as many employee-owned devices used for business purposes as there will be enterprise-owned devices.
Unlike in the past, today's employees are accessing corporate networks remotely, from countless potentially vulnerable access points and on mobile devices that may not be completely secure, making the job of locking down the network even more of a challenge for IT departments. It isn't enough to deploy a VPN, tell users, "Here is our security policy," and then just expect them to comply.
Limit user behavior to reduce risk
Without the ability for administrators to preconfigure VPNs and lock parameters, users can modify VPN access configurations and settings, which usually ends up -- not surprisingly -- causing harm to the network, whether it's through a long-term vulnerability an administrator doesn't even know about, or a direct, immediate attack.
Why wouldn't network administrators preconfigure VPNs and lock parameters? Often, network administrators are so eager to deploy the VPN client -- to allow users to connect remotely to the corporate network -- that they fail to give sufficient thought to the consequences of not configuring the VPN in a way that supports the security policy. They may not even know that preconfiguration and locking parameters -- settings that a user cannot change -- are options.
Another shortfall facing network administrators is choosing a VPN client that doesn't provide the option to preconfigure and lock parameters. Or, they might choose a VPN product that doesn't support the remote access policies they already have in place. As an example, if a company policy says all Internet traffic must be routed through a secure VPN, then the platform must have the functionality and flexibility to support this.
For BYOD security risks, which VPN is best?
Securing mobile devices
Site-to-site versus client to server VPN connection
Dig Deeper on Network Security Monitoring
Related Q&A from Julian Weinberger
How should cybersecurity-enforcement efforts adapt as digital assistant devices become more pervasive in business enterprise networking to safeguard ... Continue Reading
Public hotspot security needs to be carefully considered by IT departments and traveling professionals to prevent breaches of sensitive corporate ... Continue Reading
VPN evolution has seen a shift in connectivity -- from point-to-point to sophisticated, multipoint connectivity systems. Continue Reading