10 tips to secure client VPNs

Computerworld - If you have given your trusted employees and key contractors remote access to your network via a client virtual private network (VPN), congratulations! By now, you have seen the productivity and cost benefits from allowing collaboration that surmounts geographical separation.

You may also have discovered that keeping your network secure is now even trickier than it was, because each uncontrolled remote computer potentially creates another avenue of access to the network for attackers. Here are 10 tips to help secure your network while ensuring the benefits of your VPN.

1. Use the strongest possible authentication method for VPN access. Exactly what this is will depend on your network infrastructure, and you should check your VPN or operating system documentation to determine your options.

For example, on a network with Microsoft servers, the most secure authentication is provided by Extensible Authentication Protocol-Transport Level Security (EAP-TLS) used with smart cards. These require a public key infrastructure (PKI) and incur the overhead of encoding and distributing smart cards securely. On these networks, Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP v2) and Extensible Authentication Protocol (EAP) provide the next best authentication security.

Password Authentication Protocol (PAP), Shiva Password Authentication Protocol (SPAP) and Challenge Handshake Authentication Protocol (CHAP) are too weak to be allowed.

2. Use the strongest possible encryption method for VPN access. On a network with Microsoft servers, this is Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPsec). Point-to-Point Tunneling Protocol (PPTP) is too weak to be allowed, unless your client passwords are guaranteed to be strong (see tip No. 6). OpenVPN, a Secure Socket Layer (SSL) VPN, can be run with TLS-based session authentication, Blowfish or AES-256 encryption, and SHA1 authentication of tunnel data.

3. Limit VPN access to those with a valid business reason, and only when necessary. A VPN connection is a door to your LAN, and should only be open when it needs to be. Remote employees should be discouraged from connecting to the VPN all day to check e-mail (see tip No. 5). Remote employees and contractors should also be discouraged from connecting to the VPN to download commonly needed files (see tip No. 4).

4. Provide access to selected files through intranets or extranets rather than VPNs. A secure HTTP Secure (HTTPS) Web site with safe password authentication (not basic authentication) exposes only selected files on a single server, not your whole network, and scales better than a VPN.

5. Enable e-mail access without requiring VPN access. On Microsoft Exchange servers, set up an Exchange proxy server to allow Outlook to access Exchange via remote procedure call (RPC) protocol over HTTP, protected by SSL encryption.