A Virtual Private Network (VPN) is a group of network hosts that can transfer encrypted data between themselves on a Virtual Private Network. The technology creates a safe encrypted connection, usually over public networks such as the internet, that allows remote users and locations such as branch offices, to securely access and share resources. The main benefit is providing an adequate level of security and encryption to safely transmit private data across unprotected networks. Even though modern Virtual Private Networks use advanced encryption to protect data, additional controls should be utilized to protect them from vulnerabilities that might be introduced through other system componoents and configuration weaknesses.
The following is a list of recommended Virtual Private Network monitoring and security controls:
- Use firewalls and Intrusion Detection/Prevention Systems (IDS/IDPS) in order to monitor VPN connections.
- Use anti-malware and personal firewalls on remote clients and servers.
- All VPN connections require authentication.
- Logging enabled and auditing performed on a regular basis in order to detect possible attacks.
- Establish user and administrator security training requirements.
- VPN’s placed within a Demilitarized Zone (DMZ) to isolate them from internal protected networks.
- Split tunneling to allow local internet access on remote hosts should be prohibited.
- Use strong authentication mechanisms to include certificates, smart cards, or tokens.
- Access privileges granted on as-needed basis.
- Use strong alternative authentication mechanisms such as Terminal Access Controller Access Control System (TACACS), and Remote Authentication Dial-In User Service (RADIUS).
- Remote access computers physically secure.
- Use strong industry proven encryption with sufficient key strength to protect confidentiality.
It is important to note that even though Virtual Private Networks provide secure communications over insecure networks, client-side security must also be addressed in order to ensure end-to-end security.
HKSAR-The Government of the Hong Kong Special Administrative Region. (2008, February). VPN Security. Retrieved September 20, 2017, from https://www.infosec.gov.hk/english/technical/files/vpn.pdf.
Oracle Docs. Defining a VPN. https://docs.oracle.com/cd/E19047-01/sunscreen32/806-6347/6jfa0g87q/index.html.
Tech Target. Virtual Private Network. http://searchnetworking.techtarget.com/definition/virtual-private-network.