VPN Client Definition and Access Controls

Each VPN client stores configuration details to connect to the organization’s VPN server. Typically, VPN details include information such as the following:

• Host name or address (primary and backup)

• Logon user name

• Password (optional, dependent on the authentication method)

• Authentication method

• Transport protocol

• Local address options

• Local log settings

Each of the client settings should match the server settings. In some cases, servers support multiple types of clients and will negotiate settings, such as authentication method and transport protocol. It is important that you verify each client’s settings to ensure that clients are in compliance with organizational VPN settings standards. One of the easiest ways to verify client settings is to restrict your server settings to deny any connection requests that fall below certain standards. If your clients meet the standards, they can connect. If not, their connections fail.

There are two types of access controls for remote access. The first are the access controls for computers or devices. These access controls define which computers or devices can establish remote connections. Your authentication servers or VPN servers store computer and device access controls. The location depends on the type of VPN and operating system you are using. The second type of access control is at the user or group level. This type of access control is the same as access control in the User Domain. Once a remote user authenticates and is authorized to access resources, the normal operating system access controls take effect.

TLS VPN Remote Access via a Web Browser

Most web development languages and many applications have the ability to require secure connections. For example, you can require that a particular webpage or cookie can only be sent to a client using a secure connection. If the client attempts to render a secure webpage using an unsecure protocol, the page does not render. You would have to use HTTPS to render the page. In other words, you would have to include HTTPS in the address to reach the page.

To verify compliance with data privacy for remote users, you should enforce the following:

• Require all webpages that access sensitive data to have secure HTTPS connections or have local host addresses. Local host addresses for webpages require VPN connections.

• Require all users to be authenticated before accessing any resources or data.

• Allow only VPN nodes to access sensitive data directly.

• Require operating system– and application-specific access controls to define which users can access sensitive data.

Adhering to these rules will ensure your data are safe from unauthorized remote users.

VPN Configuration Management Verification

Managing all your network devices’ configuration settings keeps unauthorized changes from reducing your data’s security. RANCID, along with other available tools, can help you create baselines of configuration settings and compare changes over time. You should develop a schedule and process to frequently compare configuration baselines and verify all changes to your network’s configuration.

A solid network configuration management process includes managing changes to all configuration settings. A formal process makes it easy to classify any configuration changes as authorized or unauthorized. You just compare baseline differences to your authorized changes list to see which changes occurred that were not authorized.