A virtual private network (VPN) is a secure connection that can allow remote access to a corporate network. A VPN acts as a tunnel to send and receive data securely and to allow users to interact and work as though they are onsite. This publication introduces some of the considerations when an organization is looking to use VPN technologies for business purposes.
On this page
- How VPNs work
- Types of VPNs
- Protocols
- Choosing a VPN
- Risks of using a VPN
- Protecting your data when using a VPN
- Learn more
How VPNs work
A VPN conceals incoming and outgoing data through a secure tunnel. A VPN tunnel encrypts the data being transmitted between 2 parties over an untrusted network, such as the Internet.
Types of VPNs
There are various types of VPNs your organization can consider.
- Gateway-to-gateway: Used to connect 2 networks by creating a VPN over a public network and securing traffic between them. This type of VPN is typically used to connect remote office sites
- Host-to-gateway (remote access): Used to provide remote access to an enterprise network, such as from a remote worker’s laptop
- Host-to-host: Used to connect a host to a specific resource on an enterprise network or another specific host
- Third-party privacy: Used to secure a connection from a public access point, such as an airport or hotel Wi-Fi hotspot, to a third-party VPN provider. The provider then redirects the user’s traffic to make it appear to originate from the third party’s network
Protocols
The protocols most widely used for VPNs are Internet Protocol Security (IPsec) and Transport Layer Security (TLS).
It is recommended that IPsec be used for VPN access as a primary consideration. IPsec is an open standard, meaning that anyone can build a client or server which will work with other IPsec implementations.
TLS VPNs often use custom, non-standard features to tunnel traffic via TLS. Using custom or non-standard features can expose your organization to additional risk, even when the TLS parameters used by products are secure.
Choosing a VPN
Before choosing a VPN, your organization should assess its business needs and capabilities and weigh the risks. As noted, the 2 most common protocols, IPsec and TLS, determine how data is sent, received and secured.
IPsec has 2 optional modes, transport mode or tunnel mode, depending on your organization’s needs and capability to configure either option.
- In transport mode, the original IP header is retained and only the payload data within the original IP packet is encrypted. This mode is less complex than tunnel mode and is used for direct communication between 2 hosts within an established secure IPsec tunnel
- In tunnel mode, the entire original IP packet is encapsulated within a new IP packet. A new IP header is added on top of the original packet
- This mode is useful for protecting traffic between different networks or for connecting distant branches securely
- Tunnel mode is commonly used for business VPNs
An IPsec VPN client is built into many operating systems and no additional products are required to deploy a VPN. However, some third-party networks restrict or block IPsec traffic, so your mobile devices may be unable to create the VPN connection.
A TLS-based VPN solution may be clientless and accessed via a web browser. In this configuration, it’s important to have strict security restrictions on the server since TLS in a web browser is designed for accessing websites via HTTPS. This configuration also exposes a public web interface and may have a greater risk of split tunnelling.
TLS VPNs that use a third-party client and server will rarely interoperate. Your organization will need to use both from the same vendor. While TLS is a standardized protocol, how it is used to create a VPN is not.
Your organization should assess its specific business needs before choosing a VPN protocol framework.
Risks of using a VPN
The security provided by a VPN solution depends on proper configuration and consistent use of the VPN within your organization. Before purchasing a VPN solution, your organization should ensure it aligns with your security policies and the standards presented in this publication. The VPN solution must also align with the intended needs of your organization as this can affect which VPN to choose.
Your organization may have increased levels of risk due to the following circumstances:
- A VPN may not be able to provide the desired level of security should misconfigurations occur or if cryptographic modules lacking Cryptographic Module Validation Program certification (CMVP) are accepted or applied
- A CMVP ertificate is a joint validation program between the U.S. National Institute of Standards and Technology and the Canadian Centre for Cyber Security
- This program gives federal agencies a security metric to help them acquire appropriate equipment
- Threat actors can attack vulnerabilities within VPNs, which can lead to exploitations that can gain access and capture sensitive data
- Examples of such attacks are
- credential harvesting
- remote code execution on the VPN device
- weakening and possible hijacking of the traffic sessions
- Outdated systems can increase the risk of vulnerabilities
- You should make sure to use the latest patches and versions to ensure the system is up to date and working at optimal levels
- Examples of such attacks are
- Certain practices like split tunnelling can negate the security of the VPN
- Split tunnelling allows you to divide your network traffic and route certain data through an encrypted VPN tunnel and other data through an open network
- This allows for possible bridging between the open Internet and the secure tunnel, putting your data at risk
- Your organization should avoid split tunnelling as much as possible
Remember that a VPN does not provide security against users clicking on a malicious link or downloading malicious content.
Protecting your data when using a VPN
Your organization should assess the type and value of data being sent and accessed through a VPN to understand the associated risks. You should implement clear policies for employees using a VPN to remotely access corporate servers.
We strongly recommended that configuration of either IPsec or TLS be done in accordance with Guidance on securely configuring network protocols (ITSP.40.062).
When using a VPN solution, your organization should consider the following industry standards:
- Restrict external access to the VPN device by port and protocol
- For IPsec VPNs, allow only UDP ports 500 and 4500 and encapsulate security payload (transport mode)
- For TLS VPNs, allow only TCP port 443 or other necessary ports and protocols. Limit additional ports and protocols as much as possible
- Patch the web interface regularly if using TLS VPNs
- Use a forced VPN to align with your organization’s security posture and capabilities, where possible
- A forced VPN or forced tunnelling is when an organization sends all its data through VPN encryption
- This includes Internet browsing and remote access and is a safer method than split tunnelling
- Activate multi-factor authentication (MFA) and use phishing-resistant factors such as
- an application authenticator
- biometrics
- hard tokens
- Require employees to utilize a privileged access workstation when accessing sensitive accounts (administrator or privileged users) if using a VPN
- Use enterprise-managed controls to ensure employees use a VPN when connected to any network that does not leverage your organization’s security capabilities, such as public Wi-Fi
- Protect and monitor access to and from the VPN in use. Your VPN capabilities should include the use of common security practices such as
- intrusion prevention systems (logging and monitoring)
- web application firewalls
- network segmentation
- Implement application-layer encryption to the data before it is sent over a VPN, when there are concerns as to the sensitivity of the data
Learn more
For additional information, we also recommend you review guidance from our partner organizations, which has been leveraged here. Specifically, from the National Cyber Security Centre (UK), as well as a joint document from the U.S. National Security Agency and Cybersecurity and Infrastructure Security Agency.
- Virtual Private Networks (National Cyber Security Centre)
- Selecting and Hardening Remote Access Virtual Private Network Solutions (PDF, 414KB) (National Security Agency and Cybersecurity and Infrastructure Security Agency)
- Using encryption to keep your sensitive data secure (ITSAP.40.016)
- Steps for effectively deploying multi-factor authentication (MFA) (ITSAP.00.105)
- Wi-Fi security (ITSP.80.002)
- Guidance on using tokenization for cloud-based services (ITSP.50.108)