VPN Audits — A Primer and a Security Audit Checklist

Popularity of VPNs (virtual private networks) has grown with the popularity, and necessity, of remote workers using outside-the-firewall remote access, often on public WiFi, to tap into internal networks. Like anyone selling a product or service, VPN service providers make bold claims and promises. But should you trust them? How can you identify vulnerabilities, and verify the reliability and performance, of your company's VPN? 

VPNs are a critical part of a layered approach to network security.

One way is to look at security audits and stress tests performed by impartial, third party parties. VPNs are a critical part of a layered approach to network security, and the new year is a great time to see if your corporate network is protected against the latest cybersecurity threats.

What is a VPN audit?

First things first: What are we talking about when we refer to a VPN audit? According to a recent TechRadar article, "A VPN audit is a process where a provider calls in an experienced independent company like PricewaterhouseCoopers to check an aspect or some aspects of its service."

Is there a difference between a VPN audit and a security audit? Yes.

Is there a difference between a VPN audit and a security audit? Yes. VPN audits are privacy audits focused on verifying a consumer VPN provider's logging policies. Security audits are more comprehensive examinations of a company using a VPN and its security policies and security controls.  

What Information do VPN Audit Reports Provide?

Methodology, data, and findings can vary based on the scope of the report, but ideally they look at a VPN in its entirety. Keep in mind that some published reports may, based on direction from the VPN provider, look at little more than a service's browser extensions. That alone isn't going to tell you much, if anything, about your overall security. 

A comprehensive VPN provider audit should look at every part — technological and human — of the service:

  • Servers
  • Source code
  • Configurations
  • Company staff
  • Logging policies
  • Apps
  • Backend systems

When it comes to network access...you want as much detailed information as possible — both good and bad.

It's natural for companies and humans to want to share only the good aspects of their products (or themselves). But when it comes to network access, and guarding against unauthorized access, you want as much detailed information as possible — both good and bad. 

Where You Can Find VPN Audit Reports

Reputable VPN providers are continuously working to improve their products and services, and audits, either internal or external, are one the tools they use to find and fix bugs. 

Engaging a third party auditor is time-consuming and costly for a VPN service provider, so they'll likely make an audit report available to the public or, at the very least, their existing customers. The company will want to share positive results as well as their efforts to fix any gaps that the audit uncovered. 

Testing and Enhancing Your VPN is Critical to Risk Management

VPN access is a game changer for remote work; employees can work anywhere with a laptop and internet access. As we often say, though, the best cybersecurity approach is layered, and there are several security measures you can take to enhance your VPN. 

Check for DNS and IP Leaks Your DNS and IP address are at the heart of keeping your network safe from hackers — the ones wearing black hats — intent on launching malware, denial of service (DOS), or other types of attacks. Some VPNs have leaked DNS and IP info, but you can test your VPN for leaks with easily accessible online tools. 

Add a Kill Switch Every internet-based service has an occasional failure. A kill switch blocks any data leakage via the network in the event of a dropped VPN connection.

Use IDS/IPS Intrusion detection systems and intrusion prevention systems continuously monitor your network, looking for possible malicious incidents, and capturing information about those incidents. OpenVPN subscribers can activate IDS/IPS by activating the Cyber Shield feature.

Enable a Firewall A firewall and a VPN can, and should, be used together to create a more well-rounded secure network. Rather than turning off a firewall altogether, use a firewall configuration, and firewall rules, that allow authorized applications or services through.

Continuing Education The best security policy in the world won't work if people aren't aware of it. Your company's employees want to get their jobs done, but they're not experts in the importance of using VPN connections for authentication, access control, and information security. Establish an employee education program that regularly shares the latest updates for using VPN clients with different operating systems, and remind them of your password policy. 

Create Your Own Security Audit Checklist Network admins and security analysts are in the best position to understand the functionality of your network as a whole as well as the security approaches and management processes that are in place. Work with your team to develop a checklist you can use as a guide, and revisit it to ensure it takes the latest threats and security measures into consideration.

Recommended Reading

Learn about the importance of guarding sensitive data with data protection policies that secure your endpoints, networks, and cloud environments here.

Share this story: