OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

A Look At Why Businesses Of All Sizes Are Beginning To Turn To A Scalable Robust VPN Solution For Network Security

After All, Employees Are Only Human

Unfortunately businesses rely all too much on its employees to keep things secure. While more companies are beginning to adopt cyber security policies, a recent OpenVPN survey discovered 25 percent of employees reuse the same password for everything. And 23 percent of employees admit to very frequently clicking on links before verifying they lead to a website they intended to visit.

Cybersecurity breaches are a matter of ‘when’ not ‘if’, and organizations have to be ready to address hackers head on. But with businesses so focused on external threats, they often overlook the role their own employees play in exposing vulnerabilities from inside an organization.

Whether from coffee shops, co-working spaces or shared wireless at an industry conference, small business owners and employees often connect from networks that aren’t owned and operated by the business. This is both a security and a privacy risk, but it’s easily managed by routing all traffic through a VPN and providing remote access to a company’s resources through OpenVPN Access Server.

Use Case: Trane

Trane is a world leader in air conditioning systems. What they do is rather remarkable - they help people feel comfortable. Nothing is worse than sitting at your work desk freezing, or sleeping in your bedroom only to wake up sweating because it’s too hot.

Temperature controls more aspects of our lives than we realize, and making sure the world’s most famous commercial, industrial and institutional buildings are operating the way they should means securely monitoring the health of critical HVAC systems.

Trane was able to do exactly that by creating a private network using our OpenVPN Access Server software. It now enables them to carry out around-the-clock remote monitoring of more than four thousands of their remote telemetry locations. Trane’s equipment installers could easily deploy our VPN Client software plus our server supported some of their required advanced networking features along with an external MySQL database. A bonus!

That’s just one example of a business using our robust scalable VPN solution to secure its network resources.

Use Case: SICOM

Then there’s SICOM. The company provides quick service restaurant technology worldwide, serving more than 25,000 restaurants spanning more than 50 countries.

Their challenge? Securing point of sale (POS) transactions. The company’s hybrid-cloud POS systems rely on the cloud for configuration, reporting, payment processing, and other services. What they needed was a way to securely connect their POS to these cloud-based services. They deployed our AS software on their cloud coupled with our connect client software for Windows. Because of that, SICOM has a peace of mind knowing its critical cloud-based services are being securely delivered to more than 16,000 of its POS systems.

The Goal Of OpenVPN: To Bring Enterprise-Level Security To Businesses Of Every Size

Businesses of all sizes face different challenges, and how they serve their customers is unique. No matter your product, a business is responsible for delivering it in a safe and secure way. But how would a company find a way to increase its workforce productivity so they can scale and serve more people? Here’s an example of how companies can connect its mobile workforce to their internal network by using a VPN.

Consider a home security company which uses contractors to install security systems in homes for customers. They want to use a legacy mobile workforce management software in-house, and they don’t want to expose their employees or contractors to the internet. Why? Software designed for internal use is more likely to be vulnerable to external attacks. Simply put, it’s not safe. A company’s entire infrastructure could collapse if its exposed to malicious threats online.

Their ideal solution? A VPN, and here’s how. The company could install a VPN server at their datacenter and VPN Client software in each of the contractor’s work tablets. The VPN server could use LDAP to access the company Active Directory for authentication, and to differentiate contractors from employees. The Server would then maintain a network access rule for contractors, which only allows access to email and workforce management servers.

This is powerful, and it’s exactly how companies are using Access Server. It provides secure access to a private enterprise network, in the cloud or on-premise. These tools are secure, economical, built to scale with your company, and constructed with powerful cyber protection in mind.

With a widespread community around our open source software, OpenVPN has become the de facto standard in the VPN industry. As a leading force in the world of cybersecurity, we believe that free and secure internet access is an essential human right. Our mission is to promote and provide that across the world with integrity and transparency — and the absolute best VPN on the market.

And with technology changing the way we live our lives and do business, securing the way we do things is critical to maintaining our new tech driven world.

How a VPN Works

For people interested in the techy stuff - we’ve broken down how a VPN works. A business can use a private network to connect all its IT infrastructure and employee computers to form a corporate intranet. This ‘network’ gives access to things like payroll, email etc.

As a company grows, the private network may need to be extended to other branch offices. That’s where remote access comes in. Enterprises often use dedicated data transport with leased telecommunication circuits. These are quite expensive, which is why a need grew for a more economical alternative - the VPN.

With advances in cryptography, computing technology, and the pervasiveness of the Internet, it became possible to encrypt data traffic and tunnel it over the Internet to a server located within the private network.

The same technology that creates virtual connectivity between networks can also be used to connect a user’s devices to a private network.

A VPN is not just for employees. Anyone connected to the internet can create their own virtual private network. From computers to laptops, SMART TV’s and consumer electronics - any device capable of connecting to the internet can create its own VPN.

Why does my company need a VPN?

We don’t want to give people the impression that any one solution will fix all their security needs, but a VPN does reduce risk. And as a company, you want to mitigate risk for the end user whether its your employees or customers. We’ve all witnessed what can happen when businesses don’t take proper security measures to protect their infrastructure.

The biggest problem we face as an industry is making the threat of malicious attacks online feel very real. Unless you’ve personally been the victim of cyber crime, it’s tough to convince people how everything that’s in the cloud (something you can’t physically touch) is at risk. It’s true that every 39 seconds an online attack happens (that’s according to a Clark School Study)  - and we’ve outlined in our own internal study of 500 employees surveyed how non-secure usernames and passwords are an open doorway for attacker success.

And as more devices are connected to this new world called the Internet, the magnitude of cyber attack risk will only rise.

Reason 1: VPN access equals a decreased need to open up your private services to the internet.

If implemented correctly, a virtual private network allows only trusted devices to access your resources and implements strict access controls to enforce least-privilege access. You control who sees what.

Reason 2: VPN solutions also enforce mutual authentication, in which both the VPN Server and the connecting device authenticate each others’ identity. On success, the user accessing the network is authenticated using username/password and, optionally, by using another form of authentication which can be a security token supplied by something the user has in her possession — such as a mobile phone or smart card. Once the device and user are authenticated, the VPN server can enforce access rules; in other words, the user can only gain access to the subset of systems/services that they have the rights to access. With all these protections in place, a good and well-implemented VPN solution protects the private network perimeter. Additional security protections at the services and applications layer paired with other cyber defenses are now effective, given that the network perimeter is secure.

Reason 3: Another security advantage is data encryption, which safeguards against eavesdropping and data loss. This is particularly important while connecting over untrustworthy free Wi-Fi hotspots. Scammers can use Wi-Fi hotspots that mimic a legitimate hotspot in the hopes of stealing credentials and other sensitive information from unsuspecting users. Use of VPN, however, encrypts traffic end-to-end, keeping all information private and making the user immune to the threat of rogue Wi-Fi networks.

Q: And what about the SaaS model? Does a VPN still make sense when many enterprise applications are being offered using the Software as a Service (SaaS) model, and are meant to be accessed directly from the Internet?

A: Remember, not all SaaS applications offer the level of security that would get the seal of approval from your IT security experts. In fact, only a select few SaaS applications are cleared and sanctioned by corporate security. SaaS applications typically rely only on username/password authentication. If they don’t implement security best practices for password strength, if account lockout on unsuccessful attempts doesn’t happen, then hackers can use brute-force attacks and other exploits on weak password recovery mechanisms to gain unauthorized access. As an additional security measure, IT Security Managers may restrict user access to sanctioned SaaS applications, or to only a specific range of IP addresses that belong to your company. In other words, you can enforce corporate security policies by configuring SaaS applications to only be accessible to employees connected to the corporate network via a VPN.

Q: And what about HTTPS? Isn’t the security afforded by using HTTPS just as effective as a VPN?

A: Unfortunately, no. The problem is that HTTPS may not be in continual use during the entire web browsing session. It is generally only used by certain websites, and only for certain transactions involving sensitive information, like username/password or credit card information. HTTPS does do a good job securing sensitive information when in use, but to ensure privacy of your entire web browsing session and to protect all your traffic while connected to untrusted networks, it’s best to use a VPN. HTTPS uses TCP (a data transport protocol) and offers security to web applications, which means it’s not capable of securing traffic from all the non-web applications you may be using on your device such as email, VoIP, and streaming applications that do not rely on TCP such as Skype or Spotify. With a VPN, all traffic from the device, irrespective of the application generating the traffic, can be secured. As an application-specific secure transport protocol, HTTPS does not act as a virtual private network and hence cannot provide all the advantages of a VPN such as access to file shares, network printers and other network resources of the larger private network.

Reason 4: Secures & Extends Private Network Services

The main purpose of a VPN is to provide secure access to a private network when you’re unable to directly connect to the physical private network. Thus, a VPN extends all the services available on the private network just as if the devices were directly connected to the private network — even though the device is only connected to the Internet, and may be at any remote location.

To an employee of a large multinational enterprise, this means access to the services of the Corporate IT network over the Internet. Corporate IT provides services such as file servers, print servers, intranet websites, ERP systems, backup servers, etc. These services are meant for internal use only, but with use of a VPN, the employee is not restricted to physical locations with direct connectivity to the internal IT private network. If the employee is a home-based remote worker or a traveling salesperson, they can still use these internal IT services while connected to the ubiquitous Internet. They continue to get the same IT service experience, just as if they were present in their corporate office.

"Create a worldwide private network that is secure, isolated, economical and fast."

The same private network can provide specialized sensitive services to Internet-connected devices, such as IP telephony or device management. A VPN can be used to securely connect these devices directly to those specialized services. A VPN is a great solution to securely transfer data transmitted and received by the variety of devices — which comes in particularly helpful in this burgeoning era of the Internet of Things (IoT).

In January 2017, RightScale conducted its sixth annual State of the Cloud Survey of the latest Cloud computing trends, with a focus on infrastructure-as-a-service (IaaS)1. The survey asked over a thousand IT professionals about their adoption of Cloud infrastructure and related technologies. The results revealed that a ‘hybrid Cloud’ is the preferred enterprise IT strategy, and that 85 percent of enterprises have a multi-Cloud strategy.

With more and more IT infrastructure being migrated to the Cloud, and more enterprises relying on applications running on infrastructure provided by different Cloud providers, secure inter-Cloud communications is essential. A VPN can be used to securely route private traffic between various clouds and on-premise data centers. A VPN server implemented in one Cloud (Cloud A) with VPN Client software integrated into servers present in another Cloud (Cloud B) would allow for secure communications between the two clouds. Having user identities associated with servers in Cloud B could allow for controlled access to specific servers in Cloud A that are responsible for exposing only certain API for consumption by Cloud B. Alternatively, a VPN could be implemented between Cloud A and Cloud B in a site-to-site configuration, wherein one site has the VPN Server while the other has VPN Client software that is configured to act as a gateway (VPN Gateway). This configuration will allow equipment in both Clouds to communicate with each other through the encrypted tunnel setup between the VPN Server and the VPN Gateway.

An advantage of using IaaS offerings from the dominant large Cloud providers is that their offerings are available worldwide. If a business is already using Cloud and has remote employees, that business can scale their private network connectivity by using a VPN to bring the network closer to their remote team. Employees can get faster speeds and lower latency for their remote access when the VPN servers are co-located with private network resources and deployed in Cloud regions that are closest to them. As the business builds and distributes its IT services worldwide on the Cloud infrastructure, employees can access these distributed services from the site closest to them using remote access VPN. This essentially allows a company to create a worldwide private network that is secure, isolated, economical and fast.

1 https://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2017-state- 2 cloud-survey#hybrid-cloud. Forty-eight percent of the respondents represented enterprises with more than 1,000 employees. The margin of error is 3.07 percent.

Reason 5: Leverages Existing Security Investments

For any business, security must be of paramount importance. No enterprise wants to find itself in a position where they have to explain a data breach to their customers — that can absolutely destroy trust. To that end, companies regularly invest heavily in people, processes, tools, software, and hardware infrastructure for the explicit purpose of strengthening security. This includes reducing the attack surface of their internal and private services by employing a variety of safeguards, and a VPN is one of the most important of those safeguards. Using a private network, combined with public network access protected by firewalls, web proxies, and intrusion detection systems, forms the major bulk of network perimeter security investments.

IT security teams of small and midsize businesses are increasingly using a single appliance or service that provides multiple security features called Unified Threat Management (UTM) service/appliance. This unified service reduces complexity and costs by combining anti-virus, anti-spam, content filtering, and web filtering with network security such as firewalls and network intrusion detection and protection. Some UTM implementations also include a VPN server.

Most companies deploy these safeguards in a few central networking locations, in order keep costs lower. With a VPN, companies can bring all traffic from remote networks and devices to these main locations, saving time, money, and other resources that more operational locations would incur. Which means the use of VPN aids in the reduction of the attack surface for network exploits — while still extending the same security protections of the private network to remote locations/devices.

Once remote locations/devices get private network connectivity via a VPN, all the centralized security services are enabled. Endpoint security services such as antivirus software and OS security patches can be pushed to the VPN-connected devices — just as if the devices were directly connected to the corporate IT network. This allows the company to maintain a unified defense against threats throughout the company’s networked devices, regardless of location.

Reason 6: Increases Employee Productivity

When employees are out of the office, they still need to use the services that are only available while connected to the company’s network. For any employer that deploys a mobile workforce this is especially important — their employees need to be able to access their corporate applications from anywhere in the world.

Luckily, high-speed Internet access from cellular data networks and almost omnipresent Wi-Fi hotspots mean internet access is available just about anywhere. Whether you’re traveling on a train, in an airport, or at a hotel, there is almost always Internet access. A VPN rides on this Internet access, and makes private network access equally ubiquitous. A VPN combined with mobile Internet access allows employees to access enterprise applications — and increase productivity — while away from the office.

This is OpenVPN: A full secure network tunneling software solution tailored to meet your VPN needs.

OpenVPN, the provider of next-generation secure and scalable communication services began as an open-source project in 2002. Following the success of that project, Francis Dinha and James Yonan co-founded OpenVPN Inc. to secure a solid foundation to further develop its commercial potential.

OpenVPN is a private company based in the Silicon Valley that enables consumers and businesses to leverage mobility, access, security and privacy to simplify IT. Google, Samsung, Amazon, HP, IBM, Trane, Universities, Public Schools and over 100,000 businesses are protected on premises, in the cloud, and in the field with OpenVPN software.

Access Server is an award-winning VPN server that provides virtual network connectivity to cross-platform OpenVPN Connect and other OpenVPN protocol compatible VPN clients. AS provides enterprise management capabilities, simplified Administration and OpenVPN Connect UI, and OpenVPN Client software for Android, iOS, Linux, macOS, and Windows.

We have integrated a suite of leading-edge networking and software technologies to deliver virtual network software that provides secure, reliable, and scalable communication services, not only fulfilling the requirements of the traditional virtual private network (VPN) market, but also addressing the future demands of SDN – Software Defined Network, Remote Access to private networks, tunneling to UTM – Unified Threat Management Firewall Clouds/Gateways, tunneling to DDOS Clouds/Gateways to protect against malicious attacks.

Mission Statement:

We believe all people should have unfiltered access to the internet. Stopping or prohibiting someone from having the ability to surf the net is a human rights violation. In an ideal world, everyone will be able to access information on the web. This will strengthen our society, and provide people with equal opportunities.

Our mission is to connect your world securely by providing a more safe and secure experience online.

  • OpenVPN has been downloaded by more than 50 million people worldwide since inception, becoming the de-facto industry standard
  • The company website has more than 3 million monthly visitors, and their consumer VPN Private Tunnel has nearly one million visitors with more than 100,000 new downloads each month
  • OpenVPN was announced winner for "Best SSL VPN" in the 2007 Best of Open Software Awards by InfoWorld
  • Lifehacker.com listed OpenVPN as the 2010 Best VPN Tool
  • Named 100 fastest growing businesses in the Bay Area by The San Francisco Business Times in 2018
  • Named Top 25 Amazon Cloud Solution Providers in 2018
  • Listed as 5000 fastest growing private companies by Inc. Magazine
  • Named one of 30 Companies to Watch by CIO Bulletin
  • OpenVPN’s business solution is used by tens of thousands of enterprises including Google and Verizon
  • Tesla uses the open-source software in their vehicles

AS secures your data communications, provides Internet privacy, remote access for employees, secures IoT, and provides secure access to on-premise, data center, or public cloud resources. Access Server is one of the top ten AWS (Amazon Web Services) software solutions, and is also available on Google Cloud and Microsoft Azure.

While the most common use of virtual private networking that comes to mind is that of remote access to your company network to facilitate telecommuting, that scenario is just the tip of the iceberg. Access Server scan be used anywhere you need to securely carry out communications over the Internet and form an access-controlled private network between all the distributed endpoints.

Key Features

  • Rock solid, hardened, and scalable VPN server that is easy to set up and managed
  • Cloud Application Marketplace availability for AWS and Azure
  • Support for both site-to-site and remote access virtual networking
  • Economical licensing model that is based on the number of concurrent connected devices
  • Easy distribution of VPN client software and connection profiles directly from the OpenVPN Access Server
  • Ability to set up fine-grained access controls at user and group levels

Feature List

BYOL: Bring Your Own License

If you’d rather not work within the cloud, you can purchase your own license and build this system out internally.

BYOD Regardless of Operating Systems

OpenVPN Client software frees your users to choose their favorite device with support for Android, iOS, Linux, macOS, and Windows.

Transparent Open Source Core

  • Leverages OpenVPN, OpenSSL, and mbed TLS open source projects
  • Code is scrutinized and quick fixes are ensured due to large community support

Fine-grained Access Control

  • Global, Group, and User hierarchy allows for methodical access configuration
  • Rules can be defined at the IP address, protocol, and port granularity

One-click Client Distribution

  • Just sharing the web address of Access Server's Client Portal with your users solves the Client distribution challenge inherent in wide-scale deployments
  • After authentication, users download their Client software installation files or connection profiles directly from the Access Server's Client Portal

Multiple Secure Authentication Modes

  • Integrated with two-factor authentication using Google Authenticator
  • Plug-ins can be used to integrate multi-factor authentication with Duo Security, smart cards and any TOTP based token generators
  • Users can be authenticated using PAM, RADIUS, LDAP, Active Directory, or a local user database

VPN Administration Web Portal

  • Administrator portal provides for intuitive configuration of settings
  • User connection access logs can be viewed and searched
  • For those administrators that prefer Command Line Interface (CLI) access, a rich command set is available

No-hassle Certificate Management

  • OpenVPN Access Server comes built-in with its own internal X.509 PKI, but can also support an external PKI
  • VPN clients get their certificates bundled with their configuration profiles

We’d love to help you decide if Access Server is the right solution your business.

Please fill out the required fields below, and one of our team members will be in touch with you shortly.