Implementing Best Practices

Send logs of administrative access and VPN usage securely to a central server.

Log all network traffic, both accepted and dropped.

Alert on the following conditions:

1. Successful login after three (3) or more failures.

2. Multiple simultaneous logins by any user.

3. Logins from new sources and geographic locations.

4. Network sessions to-and-from new endpoints.

5. Unsolicited outbound network sessions from VPN appliances.

6. Connections to-and-from new geographies.

7. Unscheduled changes to configurations and network policies.

Build views of allowed and blocked traffic to measure the impact of more robust network policies.

Block access to administrative interfaces from public networks.

Block unsolicited outbound sessions to external networks from the device itself.

Only allow access to ports required for VPN operation.

Block access to VPN services from unnecessary sources.

1. Block network traffic from geographic regions without authorized users.

2. Block network traffic from cloud service providers without an authorized service or user.

Restrict network access. The VPN appliance should not have direct network connectivity to systems critical to business operations.

Restrict administrative access to authorized users.

Restrict access to VPN services to remote services and users with a defined need.

Restrict permissions granted to service accounts or authorization tokens utilized by the appliance.

Place VPN systems in a DMZ segment dedicated to receiving new remote sessions.

Monitor software updates from your vendor.

1. Apply within 3 days of release.

Secure backups with annual testing.

Disable unused services on the VPN device.

Require multi-factor authentication for all access (admin and user).

Send logs related to VPN software operation to a central logging point securely.

Improve alerting by adding detections for:

1. Interruptions in logged events.

2. Software crashes and restarts.

3. Weak encryption in use.

4. Out of hours access times.

5. Large transfers.

6. Long lived sessions.

Restrict network sessions from the VPN concentrator to internal segments that do not host resources needed by VPN users.

Restrict admin access to authorized internal networks.

Use client posture checks to limit or restrict access to internal resources to authorized devices operating according to security policies.

Restrict access to administrative or sensitive interfaces based on network segments.

Restrict access to internal resources by user role.

Implement at least 2 roles of administrative access:

1. Full administrators with access to all VPN system functions.

2. Support users with limited administrative access sufficient to troubleshoot VPN access issues.

Place the VPN concentrator in a dedicated network segment with network policy enforcement provided by a different device from the one serving VPN sessions.

Disable split tunneling for high risk personnel (executive, finance, IT administration):

Apply a hardening guide from a reputable government (https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF), third party (https://www.cisecurity.org/cis-benchmarks/) or vendor source. Focus on implementing coverage for high risk and low resource cost items.

Implement behavior analysis:

1. “Superman” rules alerting on impossible geographic sources based on time and distance.

2. Geography, source IP, destination IP, session duration, and transfer sizes tracked per device and user with anomaly alerting.Track patterns of administrator access and actions taken with alerts for abnormal behaviors.

Implement default deny policies for all inbound and outbound traffic on all VPN interfaces.

Implement application layer default deny policies if possible, based on VPN technology used.

Deploy separate physical security devices, ideally from different vendors, to defend internet facing and internal facing VPN interfaces.

Disable split tunneling for all users.

Harden configuration as much as possible using guides from reputable governments, third parties, and vendors.

Review configurations annually.