Securing Remote Access Using VPN

Why the use of a VPN is the right security measure to employ in extending private network services.

Abstract

This white paper examines the reasons as to why a VPN is the right solution for protecting the network perimeter while providing secure access to a variety of devices ranging from office computing devices to cellular smartphones and IoT. The main benefits of a VPN are:

Introduction

About 40% of United States organizations surveyed in 2016 by PwC admitted to being affected by cybercrime. We believe that while defense against cybercrime needs to be multipronged, network security is the foundation on which all the other safeguards rely.

As the variety and intensity of cyber threats increase, network administrators need to balance the desire of completely locking down their organization’s internal networks to the Internet, with the need to provide ubiquitous access to the internal network from a plethora of remote devices introduced by employees, contractors, and IoT. This balance can be achieved by making use of a Virtual Private Network (VPN) that leverages the Internet to provide secure virtual network access. This paper makes the case for use of VPN as a means to securely extend internal network services to a variety of authorized devices and users.

We start with the basics by introducing the concepts of a private network and a virtual private network. We then examine the need for a VPN and the key features that a good VPN solution should possess. We review OpenVPN Access Server solution features and show why it’s the best fit for VPN needs. Lastly, the paper concludes by illustrating how two OpenVPN deployments successfully satisfied the needs of diverse verticals and a use case for VPN remote access.

What is a Private Network?

We are all well aware of the various services that we obtain from the Internet—world wide web, internet radio, social networking, instant messaging, and other services—these services are meant for public consumption. The servers on the Internet offering these services are meant to be accessed by anyone and are on the public-facing side of the service.

While these servers are meant to serve legitimate users, their exposure to the Internet means that these servers on the ‘public network’ are open to probing and attacks from malicious users. These malicious users probe Internet-accessible servers for security weaknesses and exploit them to access sensitive information.

The best way to protect sensitive data and applications is to restrict access to them over ‘public networks’ such as the Internet. The networks that connect the infrastructure that house sensitive data are isolated from the Internet, to keep them secure, by using a range of IP addresses that are unreachable over the Internet. Security is strengthened by placing access restrictions on these networks so only specific traffic only from authorized external devices can get access. These isolated and access restricted networks are referred to as ‘private networks.’

One can think of the security model of a private network as being similar to a castle protected by a deep and wide moat and drawbridges. The moat that isolates the castle from attack can be equated to the use of non-routable IP address ranges, while the use of drawbridges to allow entry/exit can be thought of as strict access control applied to traffic and external devices

What is a Virtual Private Network (VPN)?

An enterprise can have a private network that connects all their IT infrastructure and employee’s computers to form a corporate intranet. This network allows for access to all internal IT services such as payroll, email, etc., at the enterprise’s main headquarters. As the enterprise grows, the private network may also need to be extended to additional branch offices.

To establish connectivity between offices for their private network while keeping the network separate from the Internet, dedicated data transport with leased telecommunication circuits are often used. The telecommunication services used to create this connectivity between locations are quite expensive and a more economical alternative was desired.

With advances in cryptography, computing technology, and pervasiveness of the Internet, it became possible to encrypt data traffic and tunnel it over the Internet to a server located in the private network. The secure tunnel creates a virtual link which extends the private network over a public network. This kind of network that makes use of public networks to provide private network connectivity is called Virtual Private Network (VPN).

A VPN can make use of one of many technologies such as Internet Protocol Security (IPsec), Transport Layer Security (SSL/TLS), Datagram Transport Layer Security (DTLS), to securely connect devices or networks, over public networks, in order to extend or form a private network.

The same technology that is used to create virtual connectivity between networks can also be used to connect a user’s devices to a private network. A common use of VPNs is to provide remote employees secure access over the Internet to their company’s IT services. Employees use VPN clients installed on corporate laptops or mobile devices to connect to a VPN server that is present in the company’s private network.

The remote access use case is not limited to access for employees. Any Internet-connected device can use a VPN to be a part of a private network. Devices can range from normal computing devices like laptops to specialized industrial sensors or consumer electronics like smart TVs.

Why is a VPN Needed?

In this section, we explore the various reasons and benefits of using virtual private networks.

Reduces Risk
A Clark School study1 is one of the first to quantify the near-constant rate of hacker attacks
on computers with Internet access—every 39 seconds on average—and the non-secure
usernames and passwords we use that give attackers more chance of success.

As more devices and services are exposed to the Internet the magnitude of cyber attack risk to the overall network and all the devices connected to the network increases. Extending convenient VPN access to the needed devices means that the need of opening up your private services to the Internet, just for internal consumption, is reduced. A properly implemented VPN allows only trusted devices to access your private network and implements strict access controls to enforce least-privilege access. These measures reduce the number of attack vectors available to a hacker to compromise network security.

VPN solutions also enforce mutual authentication in which both the VPN Server and the connecting device authenticate each other's identity. On success, the user accessing the network is authenticated using username/password and, optionally, by using another form of authentication which can be a security token supplied by something the user has in her possession such as a mobile phone or smart card. Once the device and user are authenticated, the VPN server can enforce access rules such that the user gets access to only the subset of systems/services that the user has rights to access. With all these protections in place, a good and well-implemented VPN solution protects the private network perimeter. Additional security protections at the services and applications layer paired with other cyber defenses are now effective given that the network perimeter is secure.

Another security advantage afforded by the use of a VPN is data encryption, this safeguards against eavesdropping and data loss. This is particularly important while connecting over untrustworthy free Wi-Fi hotspots. Scammers can use Wi-Fi hotspots that mimic a legitimate hotspot in the hopes of stealing credentials and other sensitive information from unsuspecting users. Use of VPN encrypts traffic end-to-end keeping all information private and making the user immune to the threat of rouge Wi-Fi networks.

One might ask, “Does VPN still make sense when many enterprise applications are being offered using the Software as a Service (SaaS) model and are meant to be accessed directly from the Internet?” Not all SaaS applications offer the level of security that can get the seal of approval from your IT security experts. Therefore, only a select few SaaS applications are cleared and sanctioned by corporate security. SaaS applications, typically, rely only on username/password authentication. If security best practices for password strength and account lockout on unsuccessful attempts are not followed, brute-force attacks and exploits on weak password recovery mechanisms can be used to gain unauthorized access. As an additional security measure, IT Security Managers may restrict user access, to sanctioned SaaS applications, to only a specific range of IP addresses that belong to your company. Therefore, it is prudent to let corporate security policies be enforced by using VPN to connect to your corporate network first and then to access SaaS applications via the corporate network.

One may ask, “Isn’t the security afforded by using HTTPS adequate enough to not need a VPN?” HTTPS may not be in continual use during the entire web browsing session. It is generally used only by certain websites and only for certain transactions where sensitive information like username/password or credit card information is being transferred. HTTPS does do a good job in securing sensitive information when in use, but to ensure privacy of your entire web browsing session and to protect all your traffic while connected to untrusted networks, it is best to use a VPN. HTTPS uses TCP and offers security to web applications. Therefore, it is not capable of securing traffic from all the non-web applications you may be using on your device such as email, or VoIP and streaming applications that do not rely on TCP such as Skype, or Spotify. With use of a VPN, all traffic from the device irrespective of the application generating the traffic can be secured. Being an application-specific secure transport protocol, HTTPS does not act as a virtual private network and hence cannot provide all the advantages of a VPN such as access to file shares, network printers and other network resources of the larger private network.

Secures & Extends Private Network Services
The main purpose of a VPN is to provide secure access to a private network while not being directly connected to the physical private network. Thus, a VPN extends all the services available on the private network as if the devices are directly connected to the private network even though the device is just connected to the Internet.

To an employee of a large multinational enterprise, this would mean access to the services of the Corporate IT network over the Internet. Corporate IT may be providing services such as file servers, print servers, intranet websites, ERP systems, backup servers, etc. These services are meant for internal use only, but with use of a VPN, the employee is not restricted to physical locations with direct connectivity to the internal IT private network. If the employee is a home-based remote worker or a traveling salesperson, they can still use these internal IT services while connected to the ubiquitous Internet. They continue to get the same IT service experience as being present in their corporate office.

The same private network could be providing specialized sensitive services to Internet-connected devices such as IP telephony, or device management. A VPN can be used to securely connect these devices to the computing infrastructure that is providing specialized services over a private network. VPN is a great solution to securely transfer data being transmitted and received by the variety of devices that comprises the burgeoning area of Internet of Things (IoT).

In January 2017, RightScale conducted its sixth annual State of the Cloud Survey of the latest Cloud computing trends, with a focus on infrastructure-as-a-service (IaaS)2. The survey asked 1,002 IT professionals about their adoption of Cloud infrastructure and related technologies. The results revealed that a ‘hybrid Cloud’ is the preferred enterprise IT strategy and that 85 percent of enterprises have a multi-Cloud strategy.

With more and more IT infrastructure being migrated to the Cloud, and reliance of some enterprises on applications running on infrastructure provided by different Cloud providers, having secure inter-Cloud communications is essential. A VPN can be used to securely route private traffic between various clouds and on-premise data centers. A VPN server implemented in one Cloud (Cloud A) with VPN clients integrated into servers present in another Cloud (Cloud B) would allow for secure communications between the two clouds.

Having user identities associated with servers in Cloud B could allow controlling their access to specific servers in Cloud A that are responsible for exposing only certain API for consumption by Cloud B. Alternatively, a VPN could be implemented between Cloud A, and Cloud B in a site-to-site configuration wherein one site has the VPN Server while the other has a VPN Client that is configured to act as a gateway (VPN Gateway). This configuration will allow equipment in both Clouds to communicate with each other through the encrypted tunnel setup between the VPN Server and the VPN Gateway.

An advantage of using IaaS offerings from the dominant large Cloud providers is that their offerings have worldwide availability. If a business is already using Cloud and has employees or devices that need access to their private network from worldwide locations, that business can scale their private network connectivity by using VPN to bring the network closer to the geographic location in which the employees or devices reside. Employees can get faster speeds and lower latency for their remote access when the VPN servers are co-located with private network resources and deployed in Cloud regions that are closest to them. As the business builds and distributes its IT services worldwide on the Cloud infrastructure, employees can access these distributed services from site closest to them using remote access VPN. This essentially allows a company to create a worldwide private network that is secure, isolated, economical and fast.

Leverages Existing Security Investments
An enterprise needs to give paramount importance to security. No enterprise wants to be in a position to explain the reason for a data breach. To that end, companies invest heavily in people, processes, tools, software and hardware infrastructure for the explicit purpose of strengthening the organization's overall security posture. This includes reducing the attack surface of their internal and private services by employing a variety of safeguards. Use of a private network with public network access protected by firewalls, web proxies, intrusion detection systems form the major bulk of network perimeter security investments.

IT security teams of small and midsize businesses are increasingly using a single appliance or service that provides multiple security features called Unified Threat Management (UTM) service/appliance. This unified service reduces complexity and costs by combining antivirus, anti-spam, content filtering, and web filtering with network security such as firewalls and network intrusion detection and protection. Some UTM implementations also include a VPN server and vice versa.

These safeguards are deployed in a few central networking locations to maximize the return on investment. By using VPN to bring all traffic from remote networks and devices to these main locations, the company continues to economically maintain strong security without the additional operational complexity of distributing network protection infrastructure to multiple locations. Thus, use of VPN aids in the reduction of the attack surface for network exploits while extending the same security protections of the private network to remote locations/devices.

Once remote locations/devices get private network connectivity via VPN all the centralized security services are enabled. Endpoint security services such as antivirus software, OS security patches, can be pushed to the VPN-connected devices just as if the devices are directly connected to the corporate IT network. This allows the company to maintain a unified defense against threats throughout the company’s networked devices regardless of location.

Increases Employee Productivity
When employees are out of the office away from direct connectivity to the private network, they still need to use the plethora of services that are only available while connected to the company’s network. For any employer that deploys a mobile workforce it is imperative for employees to access their corporate applications from anywhere in the world.

Luckily, high-speed Internet access from cellular data networks and almost omnipresent WiFi hotspots make it nearly impossible to be in a place without access to the Internet. Whether traveling on a train, in an airport, or at a hotel, there is always Internet access to be found. A VPN rides on this Internet access and makes private network access equally ubiquitous. Thus, VPN along with mobile Internet access is a combination that allows employees to access enterprise applications and increase productivity while away from office.

Why is OpenVPN Access Server the VPN Software Solution of Choice?

OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of remote access solutions with fine-grained access-controls. Starting with the fundamental premise that complexity is the enemy of security, OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies that is well-targeted for the SME and enterprise markets. OpenVPN Access Server creates value by delivering a platform for enabling secure, remote access to applications deployed on a physical network and/or virtualized Cloud environments.

Underpinned by Widely Deployed Open Source Projects
OpenVPN comes from an Open Source heritage. OpenVPN, our award-winning open source VPN product, has established itself as a de-facto standard in the open source networking space. OpenVPN has rapidly become one of the most popular open source projects in the networking space with a large and distributed community spread across the globe and more than 50 million downloads. OpenVPN makes use of mbed TLS or OpenSSL as the core for providing cryptographic services. Both OpenSSL and mbed TLS are open source projects. According to OSTIF, OpenSSL powers the vast majority of the Internet and OpenSSL is a dependency for 69% of the top million busiest sites on the Internet3.

Assured Security By Exhaustive Scrutiny
VPN software solution guards remote access to your internal network. Therefore, the VPN server needs to be bullet-proof without any security holes. Since OpenVPN is open source technology, anyone can analyze the code and find potential problems. We encourage researchers and the open source community at large to review our code and report problems by supporting bug bounty programs via OSTIF. With the open source community behind us and in-house experts including authors of the original OpenVPN source code, one can be assured of quick fixes and security patches in case any vulnerabilities do get discovered.

The current version of OpenVPN 2.4.2 was released after fixing vulnerabilities discovered from an audit4 of version 2.4. Being recognized as crucial open source software, OpenVPN undergoes regular audits and quick fixes.

Light On The Wallet, Heavy On Functionality
We use an economical licensing model that is based only on the number of simultaneously connected devices to the VPN Access Server instead of per user. This means that you can accommodate a much larger number of remote devices with fewer licenses given that all devices don't need to be connected to the VPN Server all the time. OpenVPN makes for a very attractive cost-benefit ratio by containing all the essential features needed to implement a VPN right out of the box.

Setting up a robust implementation of a VPN is complex but OpenVPN Access Server and
OpenVPN Clients makes it easy with the following features:

Customer Case Studies and Use Cases

While the most common use of virtual private networking that comes to mind is that of remote access to your company network to facilitate telecommuting, that scenario is just the tip of the iceberg. OpenVPN Access Server software can be used anywhere there is a need to securely carry out communications over the Internet and form an access-controlled private network between all the distributed endpoints

Case Study: How a VPN Aids Trane In Remote Monitoring

About Customer
Trane is a world leader in air conditioning systems, services and solutions, they control the comfort of the air for people in homes and many of the world's largest and most famous commercial, industrial and institutional buildings.

Customer Challenge
Trane needed the means to securely monitor the health of critical HVAC systems. These systems were spread across the world.

OpenVPN Solution
Trane used OpenVPN Access Server software and OpenVPN clients for Linux and Windows operating systems. Trane selected our solution because their equipment installers could easily install our VPN clients and our server supported some of their required advanced networking features along with an external MySQL database.

Results
With OpenVPN, Trane was able to create a private network that enabled their central monitoring center to carry out round the clock remote monitoring for more than 4,000 of their remote telemetry locations.

Case Study: How Our Software Secures SICOM Point of Sale (POS) Transactions

About Customer
SICOM is a provider of quick service restaurant technology that serves more than 25,000 restaurants in over 50 countries.

Customer Challenge
SICOM’s hybrid-Cloud POS systems rely on the Cloud for configuration, reporting, payment processing, and other services. They needed a means to securely connect their POS to these Cloud-based services.

OpenVPN Solution
OpenVPN Access Server software is deployed on SICOM’s Cloud and OpenVPN Connect client for Windows is integrated into their POS solutions

Results
With OpenVPN, SICOM is able to rest easy knowing that their critical Cloud-based services are being securely delivered to more than 16,000 of their POS systems.

Use Case: A VPN Increases Mobile Workforce Productivity

Customer Challenge
Lets consider a home security company that uses contractors to install security systems in their customer’s houses. This company want to use a legacy mobile workforce management software that they had developed in-house. This workforce management system integrate with a variety of internal systems like inventory, time management, order systems, and other databases. The company does not want to expose the workforce management software to the Internet because the software was designed only for internal use when it was initially developed. Therefore, there is a high probability that the solution would be vulnerable to exploits. The company wants their contracted workforce to use this software during and between customer installations along with corporate email. They have equipped these installation contractors with Android tablets integrated with mobile broadband.

VPN: An Ideal Solution
The company could install a VPN Server at their datacenter and VPN clients in each of the contractor’s Android tablets. The VPN server could use LDAP to access the company Active Directory for authentication and to differentiate contractors from employees. The Server could maintain a network access rule for contractors which allows only access to the email and workforce management servers.

Results
With the use of a VPN, the company could continue using the legacy mobile workforce management software for their contractors while restricting contractor access to just a few internal systems.