Granting remote access via a client VPN can increase productivity and even reduce costs as it allows constant collaboration regardless of location. However, it can be challenging when you need to keep your network constantly secure as each unmonitored remote computer or device poses a potential threat of network attacks. In this article, you will learn some of the top tips to help you manage your client VPNs better.
Strengthen all possible encryption methods during VPN access
In order to familiarize yourself with some of the common encryption terms, we will use Microsoft servers as an example. For most networks running on Microsoft servers, it runs on two protocols namely L2TP (Layer Two Tunneling Protocol) and IPsec (Internet Protocol security). L2TP is simply an extension of PPTP (Point-to-Point Tunneling Protocol) and is used by many internet service providers to enable the VPN's operations over the internet. However, if your client passwords turn out to be weak, PPTP is not advisable to be implemented.
Utilize strong authentication methods
To determine your available options, you will have to check your network infrastructure, as well as your operating system documentation or VPN. In most widely used servers, the most secure form of authentication they can provide is the EAP-TLS (Extensible Authentication Protocol-Transport Level Security) coupled with smart cards. Such protocols require a PKI or Public Key Infrastructure that encodes and distributes smart cards securely. Some weak authentication methods to avoid are:
• Challenge Handshake Authentication Protocol (CHAP)
• Shiva Password Authentication Protocol (SPAP)
• Password Authentication Protocol (PAP)
Remote users must have a valid business reason
Every local area network (LAN) requires a gateway such as a VPN connection, and it should only be opened when necessary. Restricting access to the aforementioned is vital for keeping your network secure as remote client VPN users may access all your subnet within the network. To restrict access, you may consider implementing layer 3 firewall rules – it is very effective when it comes to denying or permitting VPN traffic. Remote users are limited to specific range of addresses or ports to help protect sensitive information from being exposed. Additionally, you should remind any remote employees to:
• Refrain from connecting to the client VPN all day just to check their electronic mails
• Not use the VPN to download files that are commonly needed
Email access should be separated from your VPN
As mentioned above, certain practices over the VPN should be lessened and one of them is accessing emails. As we specialized in Microsoft Exchange Servers, we would recommend that you set up an Exchange proxy server and allow your Outlook client to access the aforementioned by RPC (Remote Procedure Call) protocols over Hypertext Transfer Protocol (HTTP). Ensure that the connection is backed and protected with Secure Sockets Layer (SSL) encryption.
Take advantage of intranets and extranets for selected files
If you plan to display only select files on a particular server, not your entire your network, utilizing intranets and extranets to perform the former tasks are much safer than exposing your VPN. Plus, they come with HTTPS (Hypertext Transfer Protocol Secure). Some benefits of intranets include:
• Less paperwork
• Better customer service and satisfaction
• Encourage collaboration and information sharing
• Improved internal communications
Extranets too have their own benefits and they include:
• More flexibility for your employees
• Heightened business relationships
• Avoid unnecessary costs
• Integrate supply chains
Ensure all remote users are already secured
It is pertinent that you provide all remote users with adequate firewall protection, anti-spam and the latest antivirus definitions, insisting they install and use it before connecting to the VPN. Once an infected computer fully connects to the VPN, it can quickly spread its infections throughout the whole network, potentially causing business disruptions.
Insist on a tough password policy
There are some rules to create and maintain a strong password, and they include:
• Passwords are not meant to be kept permanently, and they have to be changed periodically
• Some admin panels provide a built-in password generator, make good use of that
• Dictionaries provide tough words that can be used for your own passwords
• Include numbers that are familiar to you. I.e. A phone number
• Name of your pets or family members
• Ensure that the newly formed password is hard to guess
• Ensure it is of adequate length to inhibit the success rates of password-guessing programs
Scan a remote user until they are verified as safe
Before allowing a remote computer to commence a VPN session, you should prohibit full access to your network until you are sure it is compliant with your network policies. Procedures within the policies should include:
• Spam checks
• Virus checks
• Ensure remote computer is properly patched to fix major security flaws
• Computer is free from key loggers and Trojans
• No other software that is capable of remote-controlling the computer
However, these processes may delay the user from completing productive work for a few minutes. Hence, you should find ways to improve the experience for frequent users by allowing your server to 'remember' their computer scan history or even reduce the frequencies of mandatory scans after each successful one.
If you are looking for workgroup solutions that involve Microsoft Exchange Servers or Outlook, you can look for us at USWired Incorporated today!