Last year, the Department of Homeland Security issued a vulnerability notice that disturbed many in the cybersecurity community: Several popular virtual private network solutions had insecurely stored authentication cookies in their memory or log files. An attacker gaining access to that information could steal a legitimate user’s session and gain access to services protected by the VPN without going through the normal authentication process.
Since then, vendors have provided patches for this vulnerability. But the announcement underscores the importance of carefully configuring and managing all components of an organization’s security program. VPNs play a crucial role, safeguarding network traffic between sites for remote and mobile users.
Even so, VPNs often get very little attention — the modern VPN is a workhorse that simply works properly and doesn’t demand administrator intervention. This lack of attention can lead to serious security issues over time.
Let’s consider three ways that colleges and universities can better protect their VPN implementations.
Colleges Need to Patch VPNs Regularly
Like all technology components, VPNs require regular maintenance. Whether they run on dedicated VPN hardware or use software to run on standard servers, VPNs contain potentially vulnerable software and firmware. Emerging threats, design flaws and code bugs create issues that, when discovered, may allow attackers to compromise VPN connections.
By their nature, VPN devices must be exposed to the outside world to allow inbound connections. This places them in the same risk category as web servers, mail servers and other intentionally exposed systems. It also increases the importance of protecting them against known exploits.
Security teams should place VPN patching high on their priority list. Monitor the security announcements from vendors associated with your institution’s VPN deployment and apply patches immediately after they’re released. Once a security announcement occurs, the race is
on between attackers hoping to exploit a new vulnerability and defenders trying to secure the VPN from attack.
Also, don’t forget that all components in a VPN stack require regular maintenance. IT departments using server-based VPNs must ensure that the operating system supporting the VPN server also receives regular updates and is protected against compromise.
MORE ON EDTECH: Learn how to prepare for campus readiness while cutting costs.
Follow Best Practices for VPN Management
VPNs rely upon a set of underlying security technologies. These include transport protocols such as Transport Layer Security and IPSec, along with encryption algorithms such as AES and RSA.
When configuring encryption settings, administrators must choose a key exchange protocol, bulk encryption algorithm, hash function and digital signature algorithm.
Choosing an appropriate set of these algorithms and securely configuring their parameters is crucial to establishing a secure VPN. Small errors can have significant consequences.
Fortunately, administrators have a good deal of advice available to help build secure configurations. IT security teams should consult with the vendors of their specific VPN solutions. They can also consult publications from the National Institute of Standards and Technology, several of which offer important security guidance for VPNs.
Routine security assessments should take VPNs into account and include vulnerability scans and penetration tests. Conducted on a periodic basis, these assessments may identify newly discovered security issues, facilitating a prompt remediation.
MORE ON EDTECH: Learn how to solve evolving security challenges for remote campuses.
IT Admins Should Monitor VPN Use
Many attacks against VPNs, including the one publicized by DHS earlier this year, focus on attackers gaining control of VPN sessions. IT security teams should integrate their VPNs with their security information and event management (SIEM) infrastructure and specifically watch for signs of successful session hijacking attacks, such as:
- Users logging in from unusual locations, particularly from foreign countries where agency employees do not normally travel.
- Use of Tor circuits to connect to a VPN, potentially indicating attempts to hide a user’s true location.
- Simultaneous connections from multiple geographic locations.
- Unusual patterns of data transfer.
- Scanning activity and other network probes that indicate network reconnaissance by VPN users. Employing a SIEM to automate this monitoring frees up human analysts’ time, allowing them to focus on more value-added work.
University security teams should configure their VPNs according to industry standards, patch VPN firmware and software regularly, and routinely monitor employee VPN use for signs of malicious activity. By following these best practices, agencies will ensure VPNs remain a trusted component of the security infrastructure for years to come.
