What to ask when purchasing a VPN

What to ask when purchasing a VPN

When selecting a Remote Access Solution it is import to ensure that the right considerations are given not just to the actual mechanism for access but, most importantly, to getting the environment setup and configured correctly.  These are the critical questions buyers should be asking when it comes to selecting and implementing a secure remote access solution:

Does it have the correct credentials?

Here at Babble, we would suggest that a link to the main company directory, for example Active Directory, Azure AD or Okta, is used so that users authenticate with their standard credentials or use SSO. This will make the end user experience easier and enforce companywide policies when logging in. It will also allow for easier auditing of access in the future.

Is there an option for multi factor authentication (MFA)?

MFA is more than just passworded access – it provides at least two methods of verifying identity, for example password and text message to prevent unauthorised access using stolen credentials. Having a secondary requirement for logging in reduces the threat when using a password only approach.

What do I connect to?

Connect to hostnames secured with certificates, not IP addresses. The benefits are twofold; firstly it provides a method of verifying that the end user is connecting to the correct location, and secondly it allows changes to be made to the remote IP address without having to update the client connection details in the future. It’s ideal for maintenance and DR planning.

Can I enforce lockout policies?

Keeping it tight by enforcing strict lockout policies to prevent brute force attacks, only allowing a certain number of incorrect login or password attempts before locking the account, and alerting an admin are all ways to keep your VPN secure.  Better safe than sorry!

Can I restrict the access?

Keeping access to a minimum by restricting access to only required services and ports, for example, ensures that once connected to the internal network, it is not possible to attempt to gain access to higher level systems within the environment.

Can I make access individual?

Restricting user access based on their role within the business and their need to access certain areas of the environment ensures that they can only access the systems which they are permitted to. If all available apps are assigned to all users then it offers a much greater attack surface, which you want to reduce wherever possible.

Can I implement geo restrictions?

Users are widespread but not necessarily global in all businesses. Implement geo restrictions so that connections are only allowed from countries that are required for business operations, for example UK-only with all other outside access locked down.

Can I implement time restrictions?

Users may want or need to work around the clock but is that true for all of them? Look to implement time restrictions so that users can only connect during certain hours. Attackers will often try to gain access to a system outside of business hours when they could be less likely to get spotted. This is another way to reduce your risk.