How to Improve VPN security

 How to Improve VPN security

 

As we all know, VPN (Virtual Private Network) uses tunnels to transmit data between two networks on the wide area network. Because its data is transmitted on the Wide Area Network, although the tunnel technology can provide certain security protection. For example, when data is transmitted in a VPN tunnel, data packets are encrypted before encapsulation. However, if you only use this measure, it is not enough for enterprises with high security requirements. Other auxiliary measures, such as firewalls, are required to bring VPN security to a higher level.

Auxiliary measure 1: Use digital certificates such as X509 to Enhance Identity Authentication.

In a virtual private network, the first security card is identity authentication. Authentication ensures that only the peer users whose identities are authenticated establish a tunnel. To ensure the security of VPN connections, you can perform comprehensive authentication on user identities or devices.

Currently, the most common method is to use a password to authenticate an account. This ensures that only authenticated users can establish a tunnel with the enterprise network. However, as we all know, passwords are easily cracked or attacked. The password is not as secure as everyone thinks. For this reason, if enterprises have high requirements on security factors, I suggest using a more secure authentication mechanism. For example, many enterprises now use X509 digital certificates for identity authentication. Because digital certificates provide higher-intensity authentication than password protection.

To improve the utilization of digital certificates, an international authority has proposed an X509 Certificate for digital certificates. Because many network devices support this standard, X509 digital certificates can be configured on the VPN virtual private network, which can be widely used in enterprises. When a user tries to establish a VPN connection remotely, the remote user and the enterprise network can be said to be "a thousand miles away ". To make the VPN connection successful, you must first be able to confirm the identity of the other party. As an enterprise, you need to confirm whether the connection request is an authorized user of the enterprise. As a user, you may also worry about whether the connected object is the target. Therefore, it is a prerequisite for establishing a VPN connection to easily and reliably confirm the identity of the other party. A digital certificate can be used for secure authentication. Some Cisco network devices have set digital certificates that comply with the X509 standard as a default identity authentication method. I believe that in the near future, this will become a trend.

Therefore, the author believes that the traditional authentication method based on the user name and password may be outdated and does not meet the security requirements of enterprises. If the CIO wants to further improve the security of the VPN connection, it is urgent to use digital certificates to replace the traditional user name and password.

Auxiliary Measure 2: Automatic Key Management is adopted to enhance the security of keys.

Neither traditional user name and password verification nor digital certificate authentication are required. Therefore, the security of the key is also something that CIOs need to consider. I believe that to improve the security of VPN, it is best to achieve automatic key management.

Many enterprises have established VPN servers for convenience. However, most VPN solutions require you to manually enter these keys in each network device. These keys are often valid for a long time. As the number of users who need VPN connections increases, the management workload increases and the security of VPN connections decreases. The Automatic Management of keys can solve this problem. Automatic Key Management defines the key validity period and survival period according to the corresponding rules. During this validity period, the key can be reused. However, if the validity period or lifetime is exceeded, the key may be reset. For attackers, the time left for them is shorter.

My company now has a VPN application. In addition, automatic key management is adopted. To improve the security of the VPN connection, the author sets the lifetime of this key to half an hour. That is to say, the key is automatically changed every half an hour. Is the management workload huge? Actually not. Because the author adopted an automated management strategy, the key generation and failure do not require the author to intervene. I have adopted a time-based Key Generation Mechanism. Employees who need to access the enterprise's internal network resources through a VPN will be equipped with a key generator device. The device stores information about the employee, and the time is synchronized with the VPN Server. Then, according to a certain algorithm, the device and the VPN Server will generate a new key at the same time based on the user information and time. At the same time, the original key becomes invalid. If an employee wants to connect to a VPN, enter the latest key. Of course, existing connections will not be affected. Through this automatic key management policy, my company's VPN applications have not been attacked for several years.

Third, provide stronger encryption algorithms.

User Data is encrypted before being transmitted through a VPN tunnel. However, different encryption algorithms have different security levels. The basic goal of an enterprise to use VPN for remote access is to ensure the security of remote access. Currently, common VPN solutions support many encryption methods. I believe that a secure VPN solution should contain multiple encryption methods. The length of the key they support must at least exceed the default minimum length. Improves the encryption algorithm level and provides a higher security level. For example, the VPN solution uses multiple encryption algorithms that support the minimum length of keys that exceed the recommended minimum length, which can significantly improve the security of VPN connections. Because the time required for an attacker to crack a key is directly proportional to the length of the key. The longer the key length, the longer it takes.

In addition, it is best to integrate an IPSec Security Policy. IPSec is a set of standards proposed by IETF. Products complying with these standards can perform operations and communication between each other seamlessly. If the enterprise VPN solution supports the IPSec standard, not only does the security of VPN greatly improve, but also provides higher flexibility. It can be seamlessly integrated with the solutions used by enterprises and network devices in the future. The IPSec protocol is mainly used to encrypt the data transmitted in the VPN tunnel. Because the IP protocol is usually used to transmit data over the Internet. Data Transmitted by IP addresses can be managed blocks and become data packets. Because these data packets do not have encryption, Integrity protection, and other measures, they are vulnerable to threats such as spoofing, sniffing, session hijacking, and man-in-the-middle attacks. To improve the security of Internet data transmission, an IPsec solution is proposed. He mainly solves three major security issues in data transmission over the Internet, that is, ensuring the confidentiality, authenticity, and integrity of data. If the IPSec protocol is used, Internet Key Exchange can be realized. He can define a security association between two devices on the Internet. This Security Association describes the policy for processing data between two devices.

Therefore, if the CIO can configure a high encryption algorithm for the VPN connection or adopt an IPSec Security Policy, the VPN security can be greatly improved. Note that the IPSec security policy is included in the Traditional VPN solution. In other words, VPN and IPSec are two independent technologies. However, it can be integrated. Many network devices, including Cisco, now support configuring VPN applications on the IPsec platform. This is a good news for companies with high security levels.

Auxiliary measure 4: remote log management must be supported.

With the increasing number of network devices in enterprises, the workload will be huge if one unit is to be managed. In addition, there may be some dead corners of management. Therefore, a secure VPN solution should support remote management. That is to say, the VPN Server should support the function of recording and auditing events in an independent log server. Simply put, the logs on the VPN Server can be automatically transferred to an independent log server. These logs contain user connection information and information about attempts to establish illegal connections. Managing this information in a unified log server can reduce the workload of CIOs. At the same time, it can achieve all-around implementation, which can reduce the blind spots of management. Therefore, I believe that it is best for CIOs to establish a centralized management platform for VPN applications or other network applications. For example, the company has now deployed a central log server. Logs of various network devices and solutions are centrally managed. Network Device exceptions and exceptions in VPN and other application solutions will be reflected on this log server in a centralized manner. In addition, through log filtering, alarm, and other functions, our CIO can promptly understand the exception information and attack events.

The above content not only improves the security of the VPN connection. In addition, CIOs can also use this content to select a VPN solution. If enterprises have high requirements on network and information security, such as companies with independent brands and R & D capabilities or financial enterprises, it is best to add a few more locks to the VPN solution, further improve the security of the VPN virtual private network.