With a VPN scenario, users can access their corporate network from home. or while travelling. using a variety of hardware and software devices. You could install VPN client software directly on the PC, or use a hardware VPN client. This doesn’t provide firewalling, but some people believe that with a point-to-point VPN connection you don’t need it. We’ll discuss that further below.

Alternatively a dedicated firewall with VPN capabilities - or a router which provides all this functionality and can also perform more complex routing tasks, such as acting as a DHCP server for the PCs or performing NAT - can be used for better security and more flexibility. The choice may depend on how mobile the user is, or if the remote VPN access is only for use from one location, for home workers, for example. Obviously anti-virus software (up-to-date) should be installed as standard.

Risks
While your users are connected over an encrypted tunnel end-to-end, you would think your network would be reasonably safe. However, there are risks.

If you have Split Tunnelling enabled at the VPN client, then your users don’t have to go over the VPN into corporate to get onto the Internet. This opens them up to the outside world with only their local firewalling capabilities (if any) for protection.

The sort of threats you can expect if you don’t protect your end devices carefully are reconnaissance attacks, where hackers will scan for answering IP addresses and port numbers, and IP spoofing, as a run up to attempted unauthorised access of your network devices and client machines.

You may have an end-to-end tunnel for your user data, but what about the device doing the routing/firewalling? If it can be hacked, then you have opened up your corporate network to an intruder. Often Soho-type routers don’t have particularly strong password protection. If a hacker manages to log in to the router/firewall, then he can reconfigure it to allow free access from himself over the Internet to the user’s PC, bypassing any firewall rules or access lists.

If it’s just a hardware VPN terminator, then there aren’t even any firewall safeguards to break, and it will be a easy matter to hop to the network port of the PC. From there they may well be able to access the PC itself, giving them free view of confidential company information and email addresses. They can potentially hijack that PC to access the corporate network, send and receive emails, and login to internal servers.

Even if a hacker can’t get into the end user PC, once on the router, they’ll still be able to use it to access corporate services. They can simulate that PC’s connection (it’s an easy matter to determine IP addresses from DHCP scopes or arp caches) and gain access to your network that way.

If you only have software VPN/firewall capabilities, you may find that you don’t have the ability to protect the PC against port scanning, reconnaissance and IP spoofing attacks.

Mitigation
To make the most of your strong corporate firewalling protection, disable Split Tunnelling. This will mean that your users’ Internet traffic will have to travel back over the VPN connection and out of your central Internet link, but that will give you greatest control and security. If someone does compromise a remote user’s hardware, their link into it will be via the corporate Internet link, rather than directly to the end station over the Internet, and is more likely to be spotted.

Ensure that remote routers and firewalls have strong protection for administration access. Don’t give them any less security than you would the main router at your head office - one compromised remote router opens up your network perimeter. Log all attempted access and abnormal behaviour on your firewalls, routers and end stations, and investigate all logs.

Ensure that remote access VPNs do provide sufficient encryption to make it worthwhile to prevent man-in-the-middle attacks.

Implement one-time passwords, using the likes of SecureId or SoftToken mechanisms so that if someone does compromise a user’s PC, they cannot use it to access the corporate network, since they won’t be able to enter the generated token.

Host Intrusion Detection on the end stations would spot someone trying to hack into them or install back door software, and should prevent the hijacking of a PC.

An experienced hacker may still find a way in via your remote users, but taking all these steps will make things very difficult and is likely to send most off to look for an easier target.