Sunday, April 26, 2020
Virtual Private Networks (VPN) is a mechanism for securely connecting devices or networks together, even if geographically separated. They are popular for enabling remote working from end-user devices (EUDs). This guidance provides risk owners and administrators with more generic advice than the per-platform guidance, which recommends a specific configuration for each type of EUD. It can be used to understand the risks and benefits of using a different configuration from the one we recommend.
Virtual Private Networks (VPN)
While anyone can use a VPN to secure their network usage, this guidance is aimed at organisations supporting remote working. It therefore assumes a degree of technical understanding and knowledge of topics related to the use and management of VPNs. We'll be discussing various types of VPN, but we won’t be focusing on individual products in this guidance. Instead, we discuss aspects of VPN technology and configuration so you can compare and contrast different products. Platform-specific recommendations are kept in the EUD Guidance for those platforms.
Why use a VPN?
Regardless of the technologies involved, there are several common reasons why you may use VPNs to connect between EUDs and remote networks. When choosing network security technologies, keep in mind which of these you are trying to achieve:
- Protection of sensitive data in transit that would otherwise be unencrypted and vulnerable to interception (e.g. metadata, traffic to internal HTTP services)
- Enabling legacy systems to work remotely that were not designed to operate in such scenarios (e.g. SMB file servers)
- Providing a second layer of defence against misconfigured, unpatched, or poorly designed internal services (e.g. SSL intranet website with legacy cryptography)
- Protecting internal network servers from external, unauthenticated attackers by limiting network access to authenticated devices (e.g. file stores or databases)
- Protecting EUDs from network attack by preventing direct connections to/from the local network (e.g. ARP spoofing attacks, or attacking open network interfaces on the EUD)
- Forcing traffic between EUDs and external services through internal, protective monitoring tools guarding against a variety of threats (e.g. inspecting web content for malicious code)
- Enabling business monitoring and/or blocking of users’ network traffic for legal reasons, discipline, and duty of care (e.g. blacklisting websites)