Enhancing VPNs for Secure Remote Work During the Coronavirus Pandemic

For thousands of organizations, the coronavirus pandemic means a dramatic increase in remote access and working from home. If you’re still running some enterprise applications in your datacenter as opposed to operating entirely in the cloud, the increase in remote work may place unprecedented stress on your VPN services.

To maintain security and productivity, it’s critical to ensure your VPN is up to the task. You may have to increase your VPN seat count or capacity to handle the load, and take steps to ensure all employees have the right credentials, including two factor authentication in many cases, and understand how to securely access the enterprise network from home. It is also vital to ensure that all VPN software is up to date with the latest security patches.

Of course, you may have already moved many of your data and applications to the cloud. For those applications, your employees don’t need to use the VPN, and you automatically get the advantages of the cloud’s inherent scalability and directly accessibility for remote work. The more of your employees’ time that is spent in cloud applications, the less time they will need to spend using up your VPN resources.

However, even if your long-term strategic goal is to be fully cloud-based, you may currently be operating in hybrid mode, with some important enterprise applications still running within your datacenter as well as key security controls. For example, some organizations rely on limiting direct internet access, network monitoring, firewalls, and web filtering operating inside the datacenter, and applying those controls to user traffic by backhauling traffic via the VPN. To support the expanded number of employees working from home, you may need to scale up VPN access to these systems and provide VPN access to employees who’ve never or rarely used it before, now that they are working off of the corporate network

Ensure You Have Adequate VPN Capacity

Accordingly, one immediate business continuity issue is to make sure you have sufficient VPN termination capacity as your access load increases. You may need to purchase more VPN licenses and roll out software and credentials, including two factor authentication, to employees who need it. Wherever feasible, it may be advisable to use client VPN services built into modern operating systems that support L2TP connectivity, eliminating the need for separate VPN client software. Upgrading dedicated VPN server hardware may be a trickier issue in the current public health crisis, given the time required to order and configure it. Now’s the time to reassess capacity, so you can place that order sooner rather than later.

Some Employees May Need VPN Help

You may have employees who weren’t able to get the VPN and MFA credentials they needed before they hunkered down at home. As a result, they may be tempted to use personal apps for remote work, or attempt other workarounds (shadow IT) that add risk. To avoid risky workarounds, consider pushing out training to end users and helpdesk staff about how to quickly get and deliver VPN access, and how to use VPNs reliably, without overwhelming your team or your network.  

Your VPN logs, user configuration databases, and help desk tickets may help you identify who needs help (and perhaps also identify access attempts that aren’t legitimate). Some organizations face the problem that people require helpdesk support to get onto the VPN, but need the VPN to get remote support from the helpdesk. If this is the case in your organization, you’ll need a process for helping users escape that infinite loop.

Updating VPN Software Is Vital

Wherever you’re relying on dedicated VPN client software or server hardware, make sure it’s fully patched and up-to-date. Although that’s basic blocking and tackling for many IT organizations nowadays, things can and do fall between the cracks. For example, even though two leading enterprise VPN providers promptly delivered one critical fix in April 2018, the CERT Coordination Center (CERT/CC) found more than 500,000 unpatched VPN servers 16 months later.[1]

Moreover, disconcerting flaws in VPN products have been found fairly recently. In the spring of 2019, CERT/CC and the U.S. Cybersecurity Infrastructure Security Agency (CISA) flagged a flaw in authentication storage in four enterprise VPNs that made it possible for malware to steal users’ authentication tokens and gain their network account rights without presenting a password.[2] As recently as October 2019, the UK’s National Cyber Security Centre (NCSC) reported that Advanced Persistent Threat (APT) actors were using enterprise VPN vulnerabilities to target UK and global government, academic, corporate, and healthcare organizations.[3]

As the NCSC advised, it’s important to carefully check VPN access logs for possible compromise, and track anomalous IP locations or access times to identify potentially compromised accounts.  That’s good advice even if you’re more worried about run-of-the mill cybercriminals than sophisticated APTs. Organizations which rely on VPNs should view them as a potential attack vector and reflect this in their threat mapping and day-to-day security monitoring.

The Bottom Line

Over time, the events surrounding coronavirus may lead some organizations to accelerate their cloud transitions, and to revisit other IT policies; for example, some companies may reconsider their bring your own device (BYOD) policy, exercising greater control by issuing company-owned devices. In the meantime, the coronavirus-driven surge in remote work means that a renewed focus on cyber hygiene has never been more important: best practices for monitoring, training, and patching, relentlessly applied.

[1] “VPN - A Gateway for Vulnerabilities,” CERT/CC Blog, Carnegie Mellon University Software Engineering Institute

[2] “VPN applications insecurely store session cookies,” CERT/CC

[3] “Vulnerabilities exploited in VPN products used worldwide,” UK National Cyber Security Centre