Is client VPN software safe?

More and more workers are working remotely these days.

The problem with utilizing VPN software to connect to work resources is that end users are creating an open tunnel between their home and corporate networks. This method allows full remote access to the entire work network from outside the office, bypassing most firewall rules (the VPN connection is technically initiated from inside the work LAN). In most cases, the entire corporate network is accessible to the remote worker, exposing all servers and desktops rather than just the resources needed.

In this scenario, any security vulnerability or malware present on the remote worker’s computer and network can infect the work network for the duration of the VPN connection. This includes viruses. For example, if the remote PC has a nasty virus, it can spread across the VPN to the corporate network and could bypass work firewall protections. In addition, if the remote PC is compromised, it could be used as a conduit directly into the office LAN where hackers can exploit vulnerabilities to gain unauthorized systems access.

For example threats such as the Cryptolocker viruses typically rely on Windows file shares (SMB) to encrypt files are exposed.

The following is a home VPN user scenario that keeps IT managers up at night:

A remote teleworker is connected to the VPN from their home PC and gets infected by Cryptolocker. At the time of infection, they happened to be mapped to a corporate network drive. Perhaps they pay the ransom or perhaps not (maybe they don’t because they have backups of the work on their own home machine). The timer lapses and the teleworker runs a malware cleaner to remove the infection. They’re relieved, but unaware that they’ve encrypted several files on our network drive due to the original infection. They don’t think to inform the IT department, because it’s an issue with their home PC and not "work-related.”

A few weeks pass and other workers discovers that a file on the network drive won’t open. They flag it to the IT department. The IT team restore the file from backup, but unfortunately it turns out that only encrypted files have been backed up for the past 4 weeks… So the company has now lost the data as a result.

This situation could become exponentially worse, as thousands of network files could be encrypted and the business would never know until somebody tries to open them and is unable to do so because of the infection.

What are folks doing to secure their VPN clients to reduce these concerns?

• you can limit the access of these clients extensively with acl/ firewall rules
• modern clients like Cisco anyconnect can do health checks on the client machine. You can forbid machines not running current AV software or missing major security updates
• as part of client requirements you can enforce a specific AV product on those users if you wish. Most enterprise AV now comes with home use rights.
• build your systems to not require VPNs for example a pure SharePoint / office 365 setup should limit who needs VPN to just a few special internal apps
• NGFW can help add layers against potential dirty clients.

First what we do is steer as many people as possible to our Remote Desktop Servers. We already have about 75% of our users on the Remote Desktop servers anyway so for most users they’d much rather prefer to have their real “work desktop” fully accessible from home. We don’t have users that need to print from home or transfer files back and forth though. We use a Remote Desktop Gateway as the front end to their actual server. There are policies on the RD Gateway to help reduce their access to only the server(s) they need.

Second anyone that can’t we use a SSL VPN with very granular access control. So far I haven’t had to allow anyone a mapped drive over this connection. The policies on the SSL VPN prevent them from accessing any file servers anyway.

The SSLVPN we use is a PulseSecure MAG 2600 if you are curious.

I dont allow mapping drives to users home computers. They vpn in and then they need to remote into their desktop or a virtual machine which is then connected to the network.

VPNs are made to connect trusted computers together over untrusted networks. What you are doing is connecting untrusted computers to your network, and yes, that is not secure.

Thanks, ya was thinking that - many clients have file servers still so using webdav or browser access eliminates most VPN requirements.

It’s really hard to break users away from mapped drives over VPN once they get it. We have SSL VPN but users ( including the owner of the company ) complain it’s too cumbersome. In the worst cases they use they use the Microsoft VPN and click “remember password” and leave it on all the time - yikes.

1. Don’t allow VPN on home computers
2. For service contractors: you can restrict them with ACL or just hope and pray they aren’t like the average home user

I have 2 separate firewall VPN rules for work at home employees.

1. It is a company owned computer an controlled with our software. They get full network access on VPN.

2. It is an employee owned computer. They only get remote desktop (and dns) access. This allows them to remote desktop into their work computer and control that to work.

This has not been a problem for us because our remote staff can only access a terminal server via vpn.

also consider the file screens