You're in a meeting about raising the salaries of the IT staff (ok, probably not); that's when you notice that one of the attendees is quietly smiling while using his laptop. You casually look at his screen and you notice he's watching Mel Brooks' Blazing Saddles instead of participating in the meeting. With the technology in place at your company, you wonder how this could be happening?
Later in the day, after making sure that the employee in question is on the layoff list, you check your firewall and router settings. Sure enough: movie sites are blocked. So, what's up? The answer is, your firewall or router blocks didn't catch the fact that the soon-to-be-former-employee was using a virtual private network (VPN) to conceal the nature of his traffic.
Of course, this is just one example of the problems that outgoing VPN use can cause on a network. There are plenty more—enough, in fact, that Senators Ron Wyden (D-Oregon) and Marco Rubio (R-Florida) have asked the US Department of Homeland Security (DHS) to investigate VPN use by federal employees. The goal of the investigation is to determine whether VPN use should be banned within the federal government.
In that case, the concern is the security threat posed by foreign VPN operators who could intercept traffic at their servers and keep a copy. This primary providers with whom the senators are concerned are the companies based in China and Russia, but they're also worried about operators whose servers could be compromised by similiarly adversarial nations.
VPNs Can Be Compromised
The problem is that these nations and others are after a lot more than just state secrets. They're also after the vast array of information that VPNs can carry these days, most of which they can use for a variety of purposes. That includes data such as business processes, trade secrets, contact lists from customer relationship management (CRM) software, and all kinds of personal information that your employees store about themselves or their contacts.
Even though a VPN is an encrypted connection between the two points where it's set up, once it gets to the server at the other end, the encryption may end. Any information that passes through that server can be compromised. But there are other threats besides that.
Because a VPN connection is logically similar to simply connecting a very long network cable, there's also a connection from the VPN server back to the client device on your network. This connection can be used to compromise the computer at your end and perhaps your network as well. Now you can see the nature of this threat.
The Different Types of VPNs
And let's not forget that there's more than one kind of VPN. There's the outgoing VPN that's used on client devices (such as on the aforementioned benighted employee's laptop), which is frequently used to bypass regional limits on things such as movies and music, to protect information being transmitted from insecure locations, and to prevent theft of data while traveling. Then there are VPNs that are set up between servers at two locations, such as between a home office and a branch. We're talking about the first type.
In this type, there are also multiple reasons to have a VPN, one of which is to link to services outside your network, such as a movie site. The other reason is to form a secure connection when calling in, such as when the only Wi-Fi you can find is at McDonald's. Here I'm focusing on calling out to a remote VPN server.
When considering your organization's network, the issues regarding outbound linking to a VPN server are different from what they are for an individual user at home. For one thing, the network belongs to your company and you're responsible for the traffic that passes to the outside. In addition, you're responsible for performance hits that can happen if you have several people, say, watching movies in high definition (HD) while everyone else is trying to work.
Enforce Good VPN Policy
While there will be exceptions depending on the needs of your organization, a good policy is to block outgoing VPN traffic before it can leave your network. In addition, you should ask the human resources (HR) department to publish a rule banning VPN use unless it's specifically permitted for individual cases. You want the human resources department involved so you can take action when somebody figures out how to get around your VPN blocks.
Next, you need to configure your firewalls or routers (or both) to prevent outgoing VPN access. Here are six changes you need to make:
- Create a blacklist of known public VPN websites and keep the list updated since the list can constantly change.
- Create access control lists (ACLs) that block VPN communications, such as UDP port 500, which is frequently used.
- Use the stateful inspection capabilities of your firewall to look for encrypted communications, especially those going to foreign locations. You probably don't want to interfere with an employee's banking session, but a session lasting an hour isn't someone looking up their credit card balance. And, of course, a lot of websites use Secure Sockets Layer (SSL) encryption these days, so you can't simply ban encryption.
- Look for public VPN apps on company-owned machines. These aren't the same as the apps for your inbound VPN, but rather, they're apps to enable outbound VPN connections.
- Set up a special visitor's-only network on your Wi-Fi controller (or router if you're a small company) that only allows connections to specific internet resources, usually those running on port 80 (websites) or port 443 (SSL). You might also want to allow ports 25, 465, and 587, which are required for email. You should deny all other connections.
- Remember that there's something of an arms race going on between VPN vendors and attempts to block their use. You need to be alert to efforts to bypass inappropriate VPN use on your network, and if necessary, take action to stop it, using the HR rules if necessary.
I know it sounds inconsistent to have reviewed and recommended VPN products here and then to have questioned their value, but this is one situation in which, despite the value they have for security, VPNs aren't always used appropriately. You don't want an open network between your organization and an adversary, and you probably don't want employees watching movies (or worse) at work.
While you have to decide what constitutes appropriate VPN use for your employees, remember: it's not an issue of freedom or net neutrality. It's your private network and you're responsible for the traffic that travels over it. You have every right to control it.