In corporate networks remote access is typically granted to trusted employees and key customers. Access to the corporate network is possible, for example, through the use of VPN service. Maintaining a secure network containing virtual private networks is a demanding task. Every remote and uncontrolled computer, creates a potential loophole for Internet attacks. Here are five safety tips for VPN software users.
1. Enforce the use of strong passwords. If you are not using effective authentication methods, such as cryptographic smart cards or tokens, you must reckon with the fact that static password can be easily guessed or stolen. EBay has lost hundreds of user accounts because someone was able to guess banal passwords. Block trivial set of words and numbers(such as “admin1234”), which might be easy to remember, but bear a serious threat to network safety. Check if your VPN software allows the use of whole sentences as passwords; if yes, find a method to encourage the users to use them – they can be stolen, but it is virtually impossible to simply guess them. If VPN user authentication is password-based, never use the same password for email, since most email programs remember passwords, and extracting them from the OS registry is as easy as pie even for an inexperienced hacker.
2. Protect users from viruses and Trojans. Enforce the use of anti virus programs and personal firewalls on client computers connecting to the VPN. When connected to your network via VPN, even one infected computer can infect all the others. Do not give full access to the uncertain computers. If a remote consultant desires to connect to your network using a VPN server and you are not sure about safety of his operating system, do not give him full access until you make sure that it is not spreading viruses or Trojan horses.
3. Define clear policies for Internet use. Some companies are forcing remote users to connect to the Internet via VPN, others allow you to enter the Web through a separate user’s connection, , using VPN service only in the corporate network. The first solution is obviously safer, yet the latter is faster for the user. If – because of security requirements – the users can access the Internet through corporate proxy server, then make sure they connect to the VPN server from business notebooks only, on which they cannot change the VPN client configuration.
4. Use the strongest data encryption protocol available. Security breaches can be prevented with great success rate by using commonly accepted protocols such as IPSec – including ESP (Encapsulation Security Payload), SSL (Secure Sockets Layer) and TLS (Transport Level Security).
5. Do not forget about the WLAN on the client’s side. Many people use low-cost WLAN access-points, whose default security measures, such as WPA (Wifi Protected Access) are disabled, or which have only weak WEP (Wired Equivalent Privacy). An intruder in your home network can quickly and effortlessly invade the corporate network. Educate users on proper WLAN security, and tell them how to enable simple but effective security measures such as WPA-PSK (WPA Pre-Shared Key).