The Security Nightmare of Small Business VPNs
I was having lunch with an old friend of mine who does a lot of small and micro-business work. He was telling me about several real estate offices who recently discovered the magic of Virtual Private Networking. Seems that once the employees of these real estate offices learned that they could get files from home over the VPN connection, they rarely come into work. This isn't such a bad thing, as most of the agents were much more productive working from home, as this made it easier for them to be on the road with clients.
Working with VPNs is nothing new to me. As a network security guy, I've been using VPN technology since I got into the business in the early 1990s. Given my great familiarity with VPNs, I asked my friend what he was doing to secure the network from the VPN users. What types of access controls was he placing on the VPN connections to protect the network from the unmanaged clients connecting to the real estate office's network?
My friend was sort of surprised to hear this. He figured that VPNs were security technologies, so there was really nothing else that needed to be done. ACK! I explained to him that while VPNs provide privacy, they don't do a whole lot for security. I explained to him that VPN connections are especially dangerous because users are using their own computers, such as home computers that teenagers and other security risks use, and that any security issues on these VPN client computers can be easily spread to the real estate offices' networks.
He wanted to know what he could do. The first and most important thing is to use a VPN server that allows you to control what users can access when connected to the network. What is it they need to do when they connect? Read pages on an internal Web server? Get files from a specific network share? RDP into their own computers? Determine what the users need and give them permission to only access the information they need. This is known as the principle of least privilege.
The second thing he needs to do is use a mechanism that tests the client computer's health before that comes is allowed to connect. Does the VPN client computer have the Windows Firewall enabled? Does the VPN client computer have the most recently security updates installed? Does the VPN client computer have AV and AS software installed, and if so, does the AV and AS software have their latest updates installed? By requiring the VPN client machines to have minimum security configurations installed and enabled, you can go a long way at protecting the office network against spread of virus and worm infections from unmanaged VPN client computers.
So how to you do this with Microsoft technologies? The ISA Firewall is also a VPN server. You can easily configure least privilege using an ISA Firewall VPN server. In addition, the ISA Firewall performs stateful packet and application layer inspection for further security. The ISA Firewall also includes a remote access quarantine function that allows you to block connections from machines that don't meet your client health requirements.
In the future, you can replace the ISA Firewall's remote access quarantine function with Network Access Protection. NAP is a more sophisticated method of controlling access for non-compliant computers. NAP requires a Windows Server 2008 infrastructure and Windows XP SP3 or Windows Vista clients.
The take home message for small businesses is that you need to enforce some control over the connections made by VPN clients. The security problems these home workers have on their own home computers will soon be yours if you don't make sure to enforce least privilege and enforce system health requirements before allowing VPN clients to connect.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)