With working from home becoming the norm for some, more and more networks are being exposed to the outside world to allow employees to work remotely. This introduces a number of risks, not the least to ensure that your sensitive systems and data are not sitting ducks for cyber criminals.
At Project Balance, we work with teams in many different environments from small rural clinics to large corporates. We are passionate about capacity building and giving our clients and their partners practical tools and advice that they can use to boost productivity and stay safe online.
This is the first in a series technical articles aimed at system administrators, particularly those in lower resource environments, who need a practical way to add a layer of security to their remote workers for free (other than the time taken to set it up). Before I get into the nuts and bolts, it goes without saying that there are a number of risks associated with enabling a remote workforce, particularly:
- Whether you have control over the devices connecting to your network
- Whether employees have received basic cyber hygiene training including the most common risks (such as phishing)
- The security of the employee’s home network
- The physical security of the employee’s equipment including any devices that will store sensitive data.
Think about the data that will be leaving the office and who will have access to it, whether planned or inadvertently. I’ve heard many stories of careless sysadmins enabling remote desktop, VNC, SSH or other remote access interfaces on the sharp end of the network without a thought about the attention it generates. There’s absolutely no good reason to expose non-public applications on the public internet without adding the simple layer of security that a good VPN affords. Excuses range from “but we use strong passwords” to “it’s only temporary” to “but why would anyone be interested in my data?” (seriously!). Remember that most criminals aren’t necessarily interested in your data. It’s usually your money they’re after, and they will use your data to get it. They might also use you or your organization as leverage to get to an affiliate. Even if there’s no major impact on exposing your data, consider that they can encrypt it and lock you out of your system. Furthermore, even if you don’t play their game and pay their ransom in Bitcoin to get your data back (which is never guaranteed), recovering your systems can be a very costly exercise.
The point of adding a VPN to the mix is to, among other things:
- Secure all traffic and data in transit end-to-end, preventing eavesdropping. Sure your traffic may already be encrypted because of the applications you use, but this is an extra layer that guarantees that even if an insecure application is used, the traffic will be encrypted between the remote worker and your office.
- Reduce exposed endpoints on the sharp (internet) end of your network. Not only that, but prevent exposing applications that attract unwanted attention from cyber criminals.
- Add security redundancy. Not everything works exactly as it says on the box. Zero-day threats are a reality and any application (even your VPN software) will likely at some point or another have a vulnerability exposed for a period of time before it is patched. Having one or more applications exposed directly to the internet puts your network and data at risk unnecessarily. With a VPN, even if the VPN software becomes vulnerable for a time before it is patched, bad actors will still need to deal with the built in security of your applications such as remote desktop. Without the VPN, only one system needs to be vulnerable for criminals to have an impact.
A great analogy came to me just a week ago. I had parked my stick-shift car on an incline with the handbrake engaged and left it there to take care of business. Five minutes later I heard a noise and my heard sank as I turned to see my car (less than 1000 miles on the clock) backed up into a pole across the road. When I got in to check the handbrake, I found it still engaged. Something had failed and the car went walkies all on it’s own. Now I could argue how it shouldn’t have happened with the handbrake engaged all I like, but the reality is that if I had added a second layer of security by leaving it in gear when I exited, the pain would easily have been avoided. Don’t wait for the breach to take action.
Before I get into how to set up and configure a VPN, I just want to clarify that this is a self-managed and hosted VPN intended to (for example) secure your systems for remote access by employees. What this is NOT is a VPN for spoofing your location to fool Netflix into thinking you live in New York and not Dar es Salaam so that you can stream your favorite series, or to hide your identity online while you sail the high seas in search of copies of the latest movie filmed on a camcorder in a cinema. For those wanting to call me captain obvious, just Google ‘free VPN’ and you’ll see why I’m making the distinction.
For this tutorial, we’re going to use the free OpenVPN community edition to set up a certificate based VPN that requires clients to have a secure certificate on their devices to connect to the network. This can be used to secure a single point such as a server or a subnet on your main network. OpenVPN is cross-platform, occupies a small footprint and can be installed to any server (or spare PC) on your network to listen for incoming connections.
To get started, open part 2 of this blog series to learn about setting up a certificate authority.