Road warriors wirelessly connecting to the corporate network from hot spots at airports or coffee outlets. Just a few years ago, nightmare stories were common of even casual bystanders being able to eavesdrop on corporate communications made in such circumstances.
As a result, there’s a widespread acceptance that Virtual Private Networks (VPNs) are pretty much de rigueur for wireless use on the road.
But just how much security does a VPN provide? The answer, it seems, is not as much as you might imagine.
“People tend to fixate on the word ‘private’ in virtual private network,'” warns Jeremy Cioara, an author of five books for Cisco Press and a security instructor for training provider CBT Nuggets, based in Eugene, Ore. “They’re sitting in Starbucks working at their laptop, and they think that because they’re using a VPN, it’s safe. It isn’t.”
So how should a CISO or CSO go about selecting a VPN that is safe and secure? How should it be configured and managed in order to maintain that security? And to what extent do security provisions in the layers of technology around the VPN impact the overall security of the connection it provides? As growing numbers of remote users communicate with their corporate networks via VPN-over-wireless, such questions are increasingly taking centre stage.
The bottom line: It’s not so much the VPN itself, but the environment in which it sits that the real vulnerability lies.
When it comes to choosing a VPN, there’s certainly a wide range of choice — and price tags — available. For a free, open-source VPN, for instance, check out OpenVPN, which claims three million users and 150,000 downloads a month. There’s a free VPN built into Microsoft Windows XP, too, in the form of its implementation of the Point-to-Point Tunneling Protocol (PPTP).
Fast-growing, New York-based Castle Brands uses a PPTP-based VPN-having first weighed open source and proprietary VPNs.
“We tried to keep the cost down, without compromising security,” says director of IT Andre Preoteasa. “Throw in the up-front cost of some VPNs, the additional hardware, licence fees and yearly support costs, and costs soon climb. With PPTP, if you’ve got Windows XP, you pretty much have it.”
Initial access to the network is password-based, explains Preoteasa, with subsequent access control following role-based rules maintained on the server in the form of Microsoft Active Directory. “People can’t just go anywhere and open up anything; the accounting guys get accounting access while the sales guys don’t,” he says.
But PPTP isn’t without its shortcomings as a VPN, which is why there are plenty of commercial standalone VPNs on the market, says information security expert Winn Schwartau, founder of security awareness certification firm SCIPP International. Client-based VPNs, as opposed to operating system-based VPNs, he notes, offer a somewhat greater degree of manageability and flexibility — at a price, of course.
“PPTP isn’t ideal, but it’s a lot better than nothing,” says Schwartau. “And unless you’ve got state secrets to protect, PPTP is going to keep away a lot of the ankle-biters. The casual guy at the airport looking for low-hanging fruit is going to look at your connection, see that it’s encrypted and move on. There are still just too many other low-hanging fruit out there, such as doofuses with connections that aren’t encrypted.”
Wireless VPNs: Complex Considerations
But when evaluating commercial-grade VPNs, the complexities multiply. Technology considerations play a surprisingly significant role in the selection process. At the Pentecostal Church of God in Joplin, Mo., for instance, IT director Don Allen found himself going with a VPN solution from N