Virtual Private Network (VPN) Security Policy
Chapter 9, “IPsec Virtual Private Networks (VPN),” covers VPNs in more detail; however, because this chapter covers security policies, the growth of VPNs in use today demands inclusion of a sample policy for VPNs here. This policy is prefaced by a brief definition of what a VPN is, but you should refer to Chapter 9 for the full scope of this technology.
VPNs are becoming popular and have matured considerably in the last several years. Many companies use them as a means of securely connecting small remote offices or users of every description. The connections can be made secure through the use of IPsec (IP Security) and L2TP (Layer 2 Tunneling Protocol) and with the increasing prevalence of high-speed Internet connections such as DSL or cable VPNs becoming affordable. Therefore, it becomes imperative to have a security policy to regulate their use so that all traffic is properly secured.
SANS (www.sans.org) provides a wide range of security policies freely available on its website. These security policies are based on these publicly available policies. I strongly encourage you to visit SANS and use the discussions in this chapter to spark your ideas. Granite Systems (www.granitesystems.net) based these policies on those recommended by SANS and have allowed me to present them here.
In this policy, the company’s IT security department is known simply as the Corporate Security Team for Granite Systems. Granite Systems and other Granite Systems–specific departments appear in italics throughout the policy; if you want to reuse this policy, you can replace these designations with your own.
Purpose
The purpose of this policy is to provide guidelines for Remote Access IPsec or L2TP virtual private network (VPN) connections to the Granite Systems corporate network.
Note
VPNs based on IPsec are preferred over those using L2TP because they are generally considered more secure.
Scope
This policy applies to all Granite Systems employees, contractors, consultants, temporaries, and other workers, including all personnel affiliated with third parties that use VPNs to access the Granite Systems network. This policy applies to implementations of VPN that are directed through a VPN concentrator or VPN-aware firewall.
Policy
Approved Granite Systems employees and authorized third parties (customers, vendors, and so on) can use the benefits of VPNs, which are a “user-managed” service. This means that the user is responsible for selecting an Internet service provider (ISP), coordinating installation, installing any required software, and paying associated fees.
Note
Although some companies might provide (that is, pay for) broadband or dial-up Internet connections for some of its employees, this is usually on a case-by-case basis. In general, companies leave that responsibility up to its employees, and that is, therefore, expressed in the corporate security policy.
In addition
1. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Granite Systems internal networks. VPNs may be used for site-to-site connectivity or remote access to systems or networks.
2. VPN use is to be controlled using either a one-time password authentication, such as a token device, or a public/private key system with a strong passphrase.
3. When actively connected to the corporate network, VPNs force all traffic to and from the PC over the VPN tunnel; all other traffic is dropped.
4. Dual (split) tunneling is NOT permitted; only one network connection is allowed.
5. Split-tunneling is a method of configuring a VPN and is either on or off. Essentially, if split-tunneling is on, users are allowed to simultaneously connect to the corporate network and the Internet. This presents a danger to the corporate network’s security because if an attacker were to take control of the computer creating a VPN to the corporate network, the attacker could also gain access to the company’s network via the VPN. It is therefore considered best practice to disable split-tunneling.
6. VPN appliances are set up and managed through Granite Systems network operational groups.
7. All computers connected to Granite Systems internal networks through VPN or any other technology must use the most up-to-date antivirus software that is the corporate standard and can be downloaded through the corporate intranet. This also includes personal computers.
8. VPN users are automatically disconnected from Granite Systems’ network after 30 minutes of inactivity. The user must then log in again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection active.
9. Users of computers that are not Granite Systems–owned equipment must configure the equipment to comply with Granite Systems’ VPN and Network Security policies.
10. Only VPN clients approved by the Corporate Security Team can be used.
11. By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of Granite Systems’ network and, as such, are subject to the same rules and regulations that apply to Granite Systems–owned equipment; that is, their machines must be configured to comply with all Corporate Security Policies.
Conclusion
Every security policy should end with a few common elements; these elements clear up all potential miscommunication and confusion on the part of the users now that they understand what is and is not permitted:
1. Enforcement: The element that is most critical is the enforcement and the ramifications to an employee if these policies are violated.
2. Definitions: Not every employee or user understands some of the terminology used in a policy; thus, it is always a good idea to provide yet another level of clarification by defining industry-specific terms.
3. Revisions: Changes are always applied to policies such as these. The source of these changes alter with time, however; it might be a change in management, new laws, or perhaps a clarification of older laws, new threats against your network’s security, your company has decided it wants to become certified (for example, ISO), or perhaps your company has new technology that needs to be covered. All these factors might require a policy change, and it is wise to document the changes.
VPN technology is ever-evolving, faster than most from a network security perspective. As discussed, businesses are deploying VPNs in ever-increasing numbers; therefore, it is crucial that all organizations have policies governing their use. If there is a mistake with a VPN, the consequences can be costly from both a security and financial perspective. Auditing VPN access should be a critical part of your process and larger governance policy.