Jeff Schilling, CSO, Armor
Vendor VPNs are generally good if they are setup in a trusted, secure manner. The conditions to consider when saying “Yes” to VPN access are simple, but critical. First, the functions/roles and access of the vendor must be approached with a role based access model (for individual VPN access) and a whitelisted functional approach for a link to link connections. In other words, it must be clearly defined what can happen over that VPN access and all other attempts must be denied. Second, the VPN access should be engineered with the appropriate/best of breed end to end and link to link encryption. Third, for a vendor to have access to your enterprise network, somewhere in the authentication process, there must be a two, if not three factor authentication. And, finally, between the vendor and enterprise, there should be an aggregation point that enforces access and privilege policies. If a Vendor VPN can meet these four4 criteria, then deploying a VPN is a no-brainer.
Matt McLimans, senior network security engineer, Warren Rogers
The Target breach caused our organization to reconsider how we were using our customer's VPN clients. In the past, we were provided vendor VPN access by our customers to perform routine maintenance on our system components. However, we viewed our customers' VPNs as a security threat to our own organization and our customers' organizations for the following reasons: First, our company had limited control over how our customers were delegating the security for the VPN. For example, did the vendor VPN require the use of strong authentication methodologies like multifactor authentication? Once connected to the VPN, were minimum access privileges being enforced? What about routine password overturn? Second, since it was not our VPN client, what was preventing the vendor VPN from being installed on personal devices? What could we do to prevent those personal devices from being compromised?
For a solution to this threat, we could have voiced an ideal VPN policy to our customers, but that approach would place our customers in a potential position where they would have to allocate additional capital and resources for our services. We decided to implement a jump server that stands as a single access point for our devices in our customer's network. The jump server allows us to enforce the strictest security policies including multifactor authentication, password enforcement, encryption methodologies, and logging capabilities.