Editor's note: In this second part of a two-part series, security expert Dave Shackleford discusses some of the key security and design considerations required to underpin virtual private networks (VPNs). Part one examined some of the most popular VPN configurations and their roles. Part two discusses the steps enterprises should take to properly secure VPN implementations.
Certain VPN implementations can provide better security specifically for remote access networks. It's important to note that any individual vendor products will offer a variety of specific features.
Ensure strong encryption settings are used. All VPN products allow configuration of the encryption cipher suites used. For IPSec implementations this will likely be 3DES (Data Encryption Standard) or Advanced Encryption Standard (AES), while Secure Socket Layer (SSL) VPNs have many more options, including stream ciphers like RC4. IPSec makes this simpler because the client will be pre-configured to use a particular algorithm, thus ensuring compatibility. SSL VPNs, on the other hand, have to take browser cipher support into account. Due to the proliferation of SSL and Transport Layer Security (TLS) vulnerabilities, especially the more recent BEAST and CRIME attacks, forcing the use of strong ciphers like TLS 1.2 is recommended, although browser compatibility should be verified with clients. For integrity hashing, Secure Hash Algorithm (SHA)-1 is preferable to MD5. Encryption key length should be adequate, with a minimum of 256-bit keys (AES) or 168-bit (3DES), 1024-bit keys for key exchange algorithms (like RSA), and 512-bit for hashing algorithms like SHA-1.
Review endpoint security policies. Different vendors offer a variety of endpoint security policies, including OS and browser checks, antimalware checks, browser cache and cookie wipe upon logoff, and client-side multifactor verification (smart cards, USB tokens, etc.). Site-to-site VPNs won't have this type of policy.
Set session timeouts. All VPN implementations allow for session timeouts, and they should be configured for as short a time period as you're comfortable with. Depending on the business requirements, 10 to 15 minutes of inactivity is usually adequate, and SSL VPNs usually support closing the browser window automatically, as well.
Ensure secure IPsec settings are established. IPsec has a large number of configuration options. Many organizations, however, choose convenience and simplicity over security without realizing it. For example, many IPsec implementations leverage a "shared secret" that is known to the VPN gateways and needs to be included in the authentication configuration. Using a different shared secret for each side is preferable and isn't any more difficult to set up. Using certificates deployed from an internal certificate authority is a bit more work, but is significantly more secure. In addition, the Internet Key Exchange protocol, used for establishing an IPSec security association, is often configured to use Aggressive Mode for convenience and performance, but this is a much weaker exchange method, and Main Mode should be used instead.
Leverage strong multifactor authentication. All VPNs should support some form of multifactor authentication, which is critical to implement, especially for remote access configurations. Client-side certificates and smart cards, as well as two-factor tokens and one-time passwords sent to mobile devices, are among the more popular options. Really, anything is better than just a username and password.
Patch and update the appliance or software. All VPN software and appliances will need to be updated occasionally. Ensure these systems are incorporated into your existing vulnerability management strategy to avoid having vulnerabilities exposed or availability issues.
These are just starting points, of course. Creating access controls for specific applications and users will take much more planning. Some VPNs support access to virtual desktop infrastructure and other internal resources to simplify and facilitate secure connectivity from remote clients. Since all vendors offer different configuration options, it's critical to understand all the available security settings and choose those that offer the best balance among performance, usability and security.