“Our aim is to provide our customers with the reassurance that they can trade in a secure online environment at all times. To this end the relationship with Ambersail Assured will provide us with the required high level of guidance and protection in the pursuit of this.”
Security Manager, Birmingham Midshires.
Why Is VPN Penetration Testing So Important?
VPNs provide a direct and trusted link into your networks. Security is paramount.
Due to current Coronavirus restrictions, home working is now the norm for millions of workers across the world. To support home working, VPN technology is invaluable. Allowing staff to securely sign in to perform their day to day roles.
The connectivity that VPN products provide needs to be carefully controlled. You only want the right people accessing your networks.
To confirm access is secure, many companies perform a security or penetration test.
VPN Penetration Testing finds issues that can lead to the remote access service becoming unavailable, meaning that your remote workers would not be able to function properly.
Also testing finds weak configuration. This can lead to unauthorised people being able to access the VPN and your internal network. Including access to your confidential data and applications.
VPN Penetration Testing confirms how secure your remote access or VPN solution is. Clearly, the robust implementation and maintenance of any remote access or VPN solution is of huge importance to all organisations.
Secure Your Remote Access Quickly & Easily
We have been performing penetration testing for many years. We understand what is really important to our clients.
We make it easy for companies to understand what we test and what we find. Results are very clear making it easy to fix any problems.
Contact us to get started.
How Do We Go About Testing?
We use a proven testing methodology that is based upon our many years of experience in penetration testing.
When we are dealing with VPNs, we are very interested in the following:
What remote access software is being used. In recent times, there has been a spike in vulnerabilities with certain products. This has led to a number of organisations being compromised. The first check is to make sure that the version of software in use is the latest available version.
How the VPN is implemented. This is particularly relevant when a solution may have been set up at short notice. Often, poor or insecure default values may have been used for expediency, and not tidied up later. We will check this and advise on security improvements.
How accessible the VPN is. Sometimes it is not necessary for a remote access service to be visible to the whole World. We can advise on firewall updates that could help reduce visibility of the VPN. This is a great “defence in depth” measure.
… We Perform A Detailed Examination
We pay very close attention to the configuration of your remote access solution.
Authentication comes first. There are many ways in which a user can authenticate to a VPN. Certain VPNs are designed to join networks together over the Internet. These “site-to-site” systems can be just as vulnerable and can be overlooked as their presence isn’t immediately obvious to the ordinary user.
In most cases, the authentication scheme in use will based upon:
- A pre-shared key (PSK). These systems should use a key which is securely generated and is practically impossible to extract. Some poorly configured VPNs can facilitate brute-force enumeration of keys.
- A two-factor authentication (2FA) scheme. More commonly used in end-user remote access scenarios, 2FA commonly involves the use of a password and another factor such as a one-time passcode, a token, or a client certificate. Often these are accessed via synchronisation with a third party token generator such as Google Authenticator.
- Other methods involving Windows domain credentials. This scheme extends the credentials as used on the internal network in order to extend access to external users whilst maintaining central control of user access.
Poor implementation of any of the above can lead to unwanted people accessing your internal data and applications.
Another key area is encryption. Sometimes, VPN solutions will allow less secure connections to be made for certain users or older versions of software. This might seem convenient, but poorly configured cryptography will undermine the security of the data being transmitted over the VPN.
Again, issues here can lead to unauthorised access to your data assets.
It Is Not All About VPNs
In all of the above, we can use the term “remote access service” or “VPN” more or less interchangeably.
The truth is that there are a multitude of ways in which remote access can be set up. All of them should be evaluated for security issues.
Other example include:
- Microsoft Remote Desktop (RDP). This is very easy to set up. However, if nor performed properly, can quickly expose your organisation to serious threat.
Secure Shell (SSH). Often used by technical staff for remote server administration purposes. Sometimes these connections can be set up and forgotten about. Particularly if done as a quick fix for an immediate network issue.
Citrix remote application and desktop access. This popular technology provides access to applications as if they were running on the user’s local machine.
Other remote desktop support software such as VNC, TeamViewer, LogMeIn, Chrome Remote Desktop, and Zoho Assist.
Poor security choices with any of the above may expose your internal systems to unauthorised use.
Contact us to get started.