Preventing VPN Problems from Derailing Mobile Workers
by Stephen Cobb, originally published in Mobile Security Advisor
These days, most people who do company work on a company computer outside the company office use some type of virtual private network (VPN). In fact, when business travelers using high speed Internet access at hotels were surveyed recently by mobile broadband provider STSN, over 90 percent said that they used their high speed connection for VPN access. This is perhaps not surprising, given the benefits of a VPN, a security technology that enables information technology to deliver a big productivity boost. Unfortunately, that boost can quickly fizzle if employees run into problems using the VPN when they are on the road. While this article cannot promise solutions to VPN problems, it does provide advice on how to avoid and/or resolve them for the mobile workforce.
The Mobile Access Issue
The reason most people use a VPN is that they need to access two very valuable information resources: corporate email and corporate data. Innumerable cases studies have shown that, if the right people can access these resources from anywhere, and at any time, then big gains in productivity can be realized. In this context, "the right people" may include employees of the company, trusted contractors, consultants, and even vendors.
On the other hand, if the wrong people--generically referred to as attackers, including criminal hackers, unethical competitors, and cyber-vandals—gain access to these same corporate resources, either by penetrating company systems or intercepting communications to or from remote users, the results can be very bad for the company. In a worst case scenario productivity and profitability can both take big hits.
There was a time when secure access to email and data on the corporate network was accomplished by using a dedicated connection between the remote worker's computer and the corporate network, in other words, dial-up. Intercepting data that is being communicated on a dial-up connection is quite a challenge, so attacks tended to focus on the part of the system that served up the connectivity to the remote user, the remote access server, or RAS. Techniques like war-dialing and social engineering were used to find the target phone numbers and then attempts were made to 'spoof' legitimate users dialing in. This led to the development of more robust authentication of users, notably the technology known as Remote Authentication Dial-In User Service or RADIUS.
Although RADIUS greatly improved the security of dial-up connections, users were increasingly frustrated by the slow speed of such connections, particularly as the average business file kept putting on the kilobytes due to content enrichment, first from graphics, then audio and video. The shortcomings of dial-up were highlighted by the much higher bandwidth that Internet connections provided, first via ISDN, then via cable and DSL. As broadband became available at more and more of the locations from which remote users wanted to connect, like hotels and airports, corporate IT managers came under increasing pressure to enable high speed access to the enterprise network via the Internet.
Unfortunately, the Internet is an inherently insecure networking environment. Some means of shielding sensitive communications is essential to avoid eavesdropping. One method of doing this is an encrypted tunnel between a remote computer and gateway device on the company network. Although the connection is established on the public Internet, communications within the tunnel remain private. A VPN can provide such a tunnel. Indeed, a VPN can leverage the strong authentication already provided by RADIUS as the basis for secure communications between remote users and the company network. The IPsec protocol was developed to aid in this task.
The Challenge
When a VPN works, it is a great way to communicate. The cost of dedicated phone lines is avoided and the speed can go as high as the broadband connection allows. Unfortunately, things have to be "just so" for a VPN to work. The remote machine has to be configured correctly, as does the Internet service connection by which it reaches the VPN gateway. Furthermore, this configuration has to remain correct despite the broad and ever-growing range of applications and services of which mobile users like to avail themselves, from streaming audio and video to webcasts and voice calls.
Technology and people being what they are, meeting the tight configuration requirement of a VPN tends to get harder the more distance there is between the user and the person who installed the VPN and made sure it was, at some point, working properly. Two major problems can arise if configuration of a remote machine is allowed to vary too far from the settings that make the VPN work:
1. The remote machine cannot connect to the VPN, typically resulting in user frustration, costly calls to the Help Desk, and even lost business.
2. The remote machine is rendered vulnerable to a variety of attacks.
While the first problem is more immediate and tends to get the most attention, the second problem is significant because the whole point of the VPN is security, which can be very quickly undermined by inappropriate changes in configuration, such as opening the wrong ports. By implementing the VPN, the company has acknowledged that there are three things worth protecting: information on the remote machine, information on the company network, and the communication channel between the two. All three can be put at risk if a VPN problem is not handled properly. Fortunately, there are four steps you can take to minimize this risk.
Configuration Tuning
When a VPN is first deployed within an organization, the basic configuration requirements are established and implemented on devices that are authorized to make VPN connections. However, this is just the starting point. You need to be prepared for the fact that most of these devices are going to operate outside the office in which the initial configuration is performed. In this sense, VPN deployment is more like a rolling field test than a traditional, relatively static, desktop application deployment.
You need to have a system in place for recording configuration changes and pushing them out to users as VPN device configurations are be fine-tuned to accommodate variables such as the handling of IP addressing by the provider of the Internet service over which the VPN is connecting. In some cases the choice of Internet service provider can be controlled, for example, when a company chooses a single provider enable employees to work from home within a metropolitan area. But employees who are traveling may encounter several different providers, sometimes on a single road trip, requiring 'tweaking' of configurations. It is important to document this knowledge in an easily searchable manner for support purposes (for example, "VPN via wireless access at Airport XXX is provided by YYY and requires UDP Port ZZZ").
Configuration Enforcement
If the Help Desk can talk a user through a change in configuration that makes the VPN to work, that is usually a good thing. If a user makes an unauthorized change to the configuration, that can be a bad thing. Unfortunately, there are plenty of web sites and applications that will happily talk the unsuspecting user through all sorts of changes to make things work, whether it is online gambling, a new music video, or even a work-related webcast (out of professional courtesy we will not name the company that sponsored a webcast on the subject of "VPN security" which required participants to turn off their firewalls).
The problem of 'freelance configuration changes' should be tackled on two fronts. First, limit user permissions as much as possible. This can provoke squeals of outrage if users have grown accustomed to thinking of the company laptop as their laptop, and some users—such as field engineers--may have to be exempt. Be firm. After all, it is the company's computer and the company's assets that are potentially at risk by unauthorized changes. The second front in the fight against unauthorized changes is user education.
User Education
If there is one aspect of information system security in which just about every company falls short, it is user education. The proper use of the VPN is no exception. Users are often given the technical means to make a VPN connection, but not the knowledge required to use it responsibly.
Some of this knowledge can carry over from mainstream security awareness training, like: how to choose and protect passwords; how to make sure anti-virus software is active and up-to-date; the proper use of a laptop firewall; knowing not to open email attachments unless you are sure you know what they contain. Secure VPN deployment means going beyond the basics, teaching employees not to connect to Wi-Fi access points that don’t require identification; not to use wired or wireless Internet services that don't use either a secure client or SSL to encrypt web pages used for login and/or payment; turning off file-and-print sharing and the wireless card's peer-to-peer mode.
Sadly, some companies aren't even covering the operational basics. Just ask the people who support broadband service to hotels at companies as GuestTek, Wayport, and STSN. It is not unusual for them to receive calls from hotel guests complaining that they can't log in to the company VPN when in fact they have not yet established an Internet connection. This is not as implausible as it might sound to the experienced user, which is why those who support users need to be able to see things from their perspective.
Consider the user who starts up a laptop in a hotel room or lobby might and sees a Windows XP system message indicating that a network connection has been made. This could be a wireless signal acquired by XP, or the result of the user plugging the hotel's Ethernet cable into the laptop. Is it so unreasonable to assume that the VPN client can now be launched? In fact, the user first needs to log in to the service that is providing the network connection in order to get on the Internet (indeed, users should probably be taught not to use an Internet connection that is provided without any login process—if the provider doesn't want to know who you are the connection is not likely to be secure).
Of course, if your VPN users are all network engineers they may not need—and may object to—education at such a basic level. But many companies appear to be deploying VPNs to people who have no IT training and thus lack the knowledge they need to operate the technology. The more you teach users, the less calls they will make to the Help Desk. And remember, users often need help with the VPN outside of normal business hours.
Provider Selection
Using a reputable hotel or hotspot broadband provider is one way for business travelers to reduce VPN issues. Traditionally, the IT department has not had much influence over employee travel planning, but the fact is, when employees connect from hotels and hotspots where the company VPN is properly supported, the calls to the Help Desk go down. That reduces the level of both VPN frustration and cost. In fact, there is now a dialogue underway within some companies between corporate IT managers and the folks in charge of employee travel and company conference planning. If you have a lot of traveling VPN users to support you might also want to begin a dialogue with the leading hotel and hotspot broadband providers. Ask them about how they support VPNs and VPN users.
To support VPN users properly, a hotel or hotspot broadband provider needs a centrally managed and monitored network, which typically means on-property hardware with a dedicated backhaul connection to a carrier class point of presence (POP). The provider's system should be able to provide appropriate network address translation (NAT) to support the VPN's IP addressing scheme (be wary of networks that require the use of a system-assigned public IP address to make the VPN work on an employees laptop—that machine will very quickly come under attack from the Internet). A provider's system should also have a sufficient number of available IP addresses to prevent global IP address sharing.
Summary
A sizeable percentage of the mobile workforce now relies on VPN technology to get its work done. The productivity benefits and cost-savings can be substantial, if you can prevent them from being eroded by support costs and security breaches. Prevention efforts start with configuration management and enforcement. They are backed up by proper user education and judicious provider selection. In concert, these measures can cut costs and ensure a solid return on your VPN investment.
Stephen Cobb, CISSP, is the author of "Privacy for Business" and the Chief Security Executive of STSN, which certifies and supports VPN connectivity on its worldwide hotel broadband network. He can be reached as sc at cobbsblog.com.
Stephen Cobb