Virtual Private Networks
Blog post by Rob Hegarty, Applied Cyber Security Researcher.
VPNs (Virtual Private Networks) enable secure communication across insecure networks such as the Internet.
The Remote Working: 5 Top Tips for SMEs blog post explained that a VPN should be provided to create a secure connection for remote workers to use. This blog post explored the threats that a VPN may address, the benefits a VPN may bring to your business, and finally provide some low-cost approaches to deploying a VPN for your employees to use while working from home.
It is intended for a non-technical SME audience, with limited experience in administering a business network. Larger organisations and/or organisations with mature technical capabilities are encouraged to explore a variety of VPN solutions, that may already be included in their Firewalls or other network appliances.
While working from home it is best practice to provide employees with business laptops or PCs to use for work. This helps separate personal and work data and enables policies to be enforced that ensure the use of the machine is compliant with your IT policy. Assuming the IT policy is robust, this should go some way to ensuring your business is compliant with legislation such as GDPR etc. The IT policy around file transfer to personal devices should be updated, to avoid well-intentioned home users copying files to personal devices and accidentally breaching GDPR compliance.
Unlike home networks, business networks facilitate much more than a connection to the Internet. Intranet sites, network shares, applications and services are all provisioned and made available via business networks. If we simply opened up access to the business network from the Internet without a VPN, we increase the attack surface of the network significantly. If we selectively open up services on the network to remote workers, we run the risk of eavesdropping on our network traffic and attacks against services hosted on the network. In addition to the obvious active attacks, the ad-hoc provisioning of remote access makes future auditing of systems difficult and opens the network to a whole host of potential vulnerabilities. Furthermore, the protections (Firewalls, Content Filtering, etc) provided by our business networks, are bypassed by remote users, as their network traffic is not subject to the same protections as the machines inside the business network.
VPNs significantly reduce the attack surface of your network, rather than opening multiple ports to support a variety of services, a single port can be opened and associated with a VPN service that provides authentication and encryption of all network traffic.
By configuring a VPN, the business network is expanded to include the remote user’s machines in a manner that is completely transparent to the user. To all intents and purposes, their machines are inside your business network. This provides some functional benefits in addition to improving security. All network resources will be available to the remote machines, meaning your Intranet, file stores, and any services hosted on your network will be accessible to your remote workforce. If you have software that requires communication with a licence server, it should also be able to function as if it were inside your network. In addition to this, network traffic routed through the VPN will be subject to the same protections (Firewalls, content filtering, etc) as the rest of your business network.
In order to clear up any ambiguity, the VPN deployments suggested in this section facilitate connections into your network, these are distinct from the commercial services offered to protect privacy or bypass content restrictions (e.g. NordVPN, ProtonVPN, ExpressVPN etc) although they employ similar technology.
The VPN server provides the VPN service. It is responsible for configuration, authentication, encryption and routing traffic into and out of your network. A simple low-cost method for deploying a VPN on a small business network is to deploy OpenVPN (Note: OpenVPN is both the name of a protocol and a commercial service, we are referring to the protocol here) on a virtual machine or single-board computer such as a Raspberry Pi.
The PiVPN project provides simple straightforward instructions on how to deploy a VPN server.
The client is software installed on the remote machines to enable them to communicate with the server. OpenVPN clients are available for all major desktop and mobile operating systems, download the official client here and configured using the instructions on the PiVPN website.
In some instances, it is better to configure a Wi-Fi Hotspot to provide a VPN connection to your VPN server. You may have employees with multiple devices, or employees who would prefer a simpler way of connecting to your VPN. A VPN hotspot can provide a very straightforward solution, the hotspot is configured by your technical team and posted to the end remote user. The remote user connects the hotspot to their router via an ethernet cable, then connects devices to the Wi-Fi network provisioned on the hotspot using the passphrase configured by your technical team. All devices connected to the Hotspot are protected by the VPN, with the added benefit of using a strong Wi-Fi passphrase.
A simple guide to configuring a Wi-Fi hotspot with a VPN connection is available here. By substituting the files generated by your server (in the Pi-VPN guide above) in place of the commercial VPNs, in this guide, you can create a secure connection to your VPN server, that is accessible via Wi-Fi hotspot.
An alternative approach to deploying a dedicated Wi-Fi hotspot is to configure a VPN connection on the home router used by the remote worker. The Remote work: 5 top tips for SMEs provides an overview of how to configure a router, note it requires a relatively high level of technical ability.
 The usual disclaimers apply to this blog, in that these are suggestions rather than endorsements of any particular product or service.