Updated: How to set up and maintain a VPN ~ lotfi

Introduction and VPN checklist

The expansion of BYOD (Bring Your Own Device) across the business landscape has meant that all enterprises have had to re-evaluate their security systems.

And with WYOD (Wear Your Own Device) also making itself felt, ensuring the security of data that moves to and from these devices is vitally important. Research by Crytzone concluded that:

91% of respondents said that VPNs are still the main form of security for controlling network access, despite the fact that VPN technology was created almost 20 years ago
A majority (51%) noted that their access control technology was greater than three years old, and 11% said it was more than 10 years old
Only 21% of companies rely on attribute-based controls to secure access – most rely on authentication (93%) and session authorisation (46%)

"It's remarkable that many organisations are still utilising network security technologies developed in the nineties – a time when the internet was still in its infancy," said Kurt Mueffelmann, president and CEO for Cryptzone.

He continued: "Organisations need to accept that outdated access control technologies are not working against today's sophisticated adversaries. The default position should be to make your infrastructure invisible, and then grant access on a case-by-case basis, only after user identity, posture and context have been validated.

"Organisations must stop giving out the keys to the kingdom when it comes to privileged user, third-party and employee access."

Precious data

Information is often the most precious commodity for any business. Think about how your company currently manages its data. A mixture of desktop PCs and a plethora of different mobile devices are likely to be common across your enterprise. How secure are the connections between these devices and the servers they exchange data with?

A VPN or Virtual Private Network is a secure method of connecting a remote computer or other devices to a server. With a geographically dispersed workforce that needs to access what could be highly sensitive personal or commercial information, using an ordinary internet connection – usually a public Wi-Fi hotspot – is simply not secure enough for business use.

VPNs all operate in the same basic way: A secure bridge is created between a tablet or smartphone, for instance, and your business' servers, which can be on your premises or in the cloud. The level of sophistication you will need in terms of choosing the right VPN will depend on how many remote devices you want to connect.

Worker in coffee shop

VPN checklist

From a simple browser-based VPN that uses SSL, to more complex systems, there is a VPN for every need. Use this checklist to help guide your decision-making:

1. Perform a data audit to assess the VPN features that are needed

It is important to understand who will connect together using a VPN, and what kind of data they will exchange. This will guide your business to the right VPN protocol to use.

2. What kind of internet connection does your business have at the moment?

VPNs can easily use large quantities of bandwidth, so ensure your business connection can cope with this additional traffic. And don't forget you'll need static IP addresses to avoid the need to set up a new VPN each time a connection is required.

3. The maintenance of a VPN is vital to ensure it stays secure

It is essential to focus on the security aspects of the VPN connection. As a VPN could be in front of or behind a firewall, its security is of paramount importance. Antivirus software should be in place and up-to-date.

4. How to use public Wi-Fi and VPNs

If your business just wants to securely connect its workforce together when they are using public Wi-Fi, this is possible with a number of applications including HotSpot VPN and WiTopia.

5. Ensure that any VPN client is secure

A VPN will use its own client to make the connection to another device or server. The user ID and password will be stored on these devices, which of course could be stolen. Use a personal firewall, or a password on the computer's BIOS to prevent unauthorised personnel using the VPN client if the device was stolen.

Steve Roberts, service development manager at business communications provider Vtesse Networks, advises: "When setting up a VPN, organisations must ensure that their provider meets basic security standards such as ISO 27001, which may be required for governance purposes and data protection obligations.

"This is certainly true for PCI certifications too. If the organisation is handling credit card information, it can't afford to fall short when it comes to meeting these regulations."

Choosing a VPN

As with all services you buy for your business, not all VPNs are the same. It is important to spend some time choosing the right VPN, as your business will rely on its efficiency as well as its data encryption ability on a daily basis.

Using a VPN allows two computers to make a secure connection to each other. The connection uses special protocols to establish a temporary bridge between the two machines. The data that travels over the bridge is encrypted.

The address of the recipient is in view so the data can be delivered, but the content of the message is completely hidden during transmission over the VPN. Businesses often also use VPNs to connect servers located in different offices giving employees seamless – and of course secure – access to the files and other assets (such as printers) they need to use.

Server room

Network protocol

Before setting up a VPN, the type of network protocol has to be chosen. There are four to consider:

SSL (Secure Socket Layer)

This protocol will be familiar if you shop online or do online banking. SSL is the encryption that these services use. For very small businesses, SSL is ideal as the VPN is set up via an internet browser.

Open VPN

If cost is an issue, this VPN is based on open source SSL code but as its name suggests, the code can be seen – and potentially hacked – by anyone.

PPTP (Point-to-Point Tunnelling Protocol)

This is the latest type of VPN. It is supported natively by Windows, Mac OS X and mobile operating systems, which makes it ideal in the brave new world of BOYD and WYOD where personal devices need to be secured.

IPsec (Internet Protocol Security) and L2TP (Layer 2 Tunnelling Protocol)

These VPNs are inherently more secure than PPTP, for instance, but are more complex to set up.

Surface

If you just need to quickly set up a VPN and are using Windows 8, the operating system has a wizard that walks you through the process. You will need the IP address or the domain name of the computer or server you want to connect to. Note that Windows only supports PPTP and L2TP/IPsec protocols.

And if you choose to use the PPTP protocol, you must ensure the network router is set to forward VPN traffic. There should be instructions on how to do this in the router's manual.

Also, for a VPN to operate effectively, static IP addresses must be used. Some businesses will use dynamic internet connections, which means a new VPN has to be established each time any computers or other devices want to make a secure VPN connection. This isn't ideal and certainly not very efficient for employees working away from their main offices, where they can obtain IT support.

Check the SLA

There are a number of VPN services to choose from. Many of these are free at least for their basic features, which in many cases will suffice for small business needs. However, pay close attention to the SLA (Service Level Agreement) that is attached to these services. Often you will be giving your agreement to see adverts and other annoying content.

As Steve Roberts explained to TechRadar: "The multitude of service providers can be confusing so defining your business requirements beforehand helps to narrow down this list. It will also ensure the business gets the SLA they want, with the right availability, repair time and performance guarantees.

"Some of the providers which lead on price alone offer little more than consumer/residential broadband services – this is probably not suitable for organisations looking for a more robust VPN service."

Leading VPN suppliers include:

Understanding your organisation's precise needs before choosing a VPN service provider is critical. With so much choice available, taking the time to evaluate VPN services on a shortlist will enable your business to see how each platform would be implemented across your company.

Security evolves

How businesses operate these days, with dispersed workforces that require round the clock access to data, has meant a shift in how data is managed. The cloud has of course impacted on how information can be saved and accessed from any location. But should we look at data security differently? This is the question Google is asking.

Traditionally the first line of defence a business would have against cybercrime would be its firewall. Erected to protect sensitive data behind it, this barrier technology has existed for decades. Google is now arguing that with the cloud dominating business, that security should move to this space. Google explains in its paper, BeyondCorp: A New Approach to Enterprise Security:

"Since the early days of IT infrastructure, enterprises have used perimeter security to protect and gate access to internal resources. The perimeter security model is often compared to a medieval castle: a fortress with thick walls, surrounded by a moat, with a heavily guarded single point of entry and exit.

"Anything located outside the wall is considered dangerous, while anything located inside the wall is trusted. Anyone who makes it past the drawbridge has ready access to the resources of the castle.

"Google's BeyondCorp initiative is moving to a new model that dispenses with a privileged corporate network. Instead, access depends solely on device and user credentials, regardless of a user's network location – be it an enterprise location, a home network, or a hotel or coffee shop. All access to enterprise resources is fully authenticated, fully authorised, and fully encrypted based upon device state and user credentials.

"We can enforce fine-grained access to different parts of enterprise resources. As a result, all Google employees can work successfully from any network, and without the need for a traditional VPN connection into the privileged network. The user experience between local and remote access to enterprise resources is effectively identical, apart from potential differences in latency."

Chicago techstop

Efficiency and transparency

There is no doubt that the cloud will continue its rise to dominance across the entire business landscape. Current security measures that seek to erect barriers to information access, or create securely encrypted tunnels to connect mobile devices will continue.

The perceived security issues with the cloud do persist, but these are receding. Google's vision of a new security environment is ambitious but could deliver the efficient and transparent security that all businesses need.