The Covid-19 pandemic forced many companies to use a VPN to enable teleworking. Problem: they weren't necessarily ready. The cause: undersized servers, lack of training and poor practices. Telecoms expert and ORSYS trainer Charlie Le Hoangan* takes a look at VPNs, an essential component of corporate cybersecurity strategies.
While teleworking was still an isolated practice in France, Covid-19 has taken companies in a decisive direction. In the space of a few days, a majority of employees, most of them managers, who could work remotely had their working environment moved to their home.
However, to enable all its employees to stay at home while retaining access to the internal network, a company has only one solution: the VPN. While some companies already have VPNs in place, others have had to adapt their system to the number of teleworkers... or even take an interest in it for the first time. "When the crisis arrived", explains Charlie Le Hoangan, consultant and trainer at ORSYS, "Companies were not ready. They did what they could to adapt to teleworking when they were forced to do so and, in the rush, simply ran into logistical problems. "
Giving employees access means setting up a system both on the company's premises and on their laptops.
What is a VPN?
VPN, or Virtual Private Network, is not a new technology. "We've long had the technical means to implement teleworking. The problem is more one of management resistance.says Le Hoangan.
A VPN is used to provide private use of a public or shared network. In practice, the VPN allows the teleworker to access the company network via the public network by creating a secure virtual pipe. "The idea is that teleworkers can access their company's tools, applications and servers as if they were physically present.
Confusion between "onsite" and "online" VPNs?
VPNs are often equated with online tools for achieving anonymity on the Internet. Charlie Le Hoangan is surprised by the confusion: "The objective is not at all the same. What these "online VPN" services are selling is anonymisation; they allow users who don't want to be tracked or traced to connect via a server acting as a relay. The term "VPN" in this case is purely commercial.
Under-sized VPNs?
Massive use of teleworking has often led to problems with VPN sizing. Faced with this type of influx, server saturation is inevitable.
You can't improvise an effective VPN for the long term. "To increase the number of accesses, the company is obliged to equip itself more heavily, with professional hardware and servers sized to support thousands of connections. So we have to move on from a simple software installation for a handful of people to much more expensive equipment that has nothing to do with it. (...) The computing power needed to encrypt communications is much greater, and must be done on specially adapted machines. "
VPN in practice
At company level
The first problem? Preconceived ideas about safety... "A VPN is not necessarily secure. Some techniques simply separate traffic. Using a secure VPN means that you have implemented cryptology techniques to, in a simplified way, encrypt the data so that it cannot be intercepted."
One solution is for the company to rely on an operator. To connect to the company network, teleworkers will use the operator's systems. It is they who will separate the traffic. This is known as Trusted VPN. But to use this technique securely, companies also need to equip themselves on site. To begin with, this means installing client software on employees' computers. This will enable secure dialogue with the VPN servers installed on the premises (key exchange, encryption, etc.). Once everything is in place, all the teleworker has to do is activate the software installed on their laptop.
At the individual level
Individually, it's just as important to have some basic VPN best practice. "You have to remember that it's a tool for connecting to the business. From there, everything you do can have an impact on the company. This means that the VPN should only be opened for strictly professional use.. It must be cut for any personal use, and think also to cut him off at the end of his working day. Partitioning. An attack or an intrusion via your computer while the VPN is running has an impact on the company's servers.
When it comes to cyber security, raising awareness and providing regular training for employees are essential. And VPN is no exception. After all, giving employees access to the VPN client means extending the company network. That doesn't mean it needs to be any less secure. A well-configured or badly used tool is no longer an asset but a risk.
Especially as, according to Le Hoangan, VPNs are set to continue to be democratised with the practice of teleworking: "The health crisis and the ensuing lockdown have made us realise that teleworking is inevitable these days. But anticipating the introduction of teleworking means giving ourselves the means to develop the tools that go with it correctly, and as securely as possible: optimal configuration of VPNs, but also of firewallsinstalling anti-virus software on communication systems, etc. "Because, in the end, the VPN is just one tool in a vast system that needs to be put in place. And you have to start somewhere.
*Charlie the Hoagan
Consultant specialising in telecoms. After 10 years working for a number of major manufacturers, he set up his own company in 1989, through which he offers his services as a consultant in computer networks, with a particular focus on security. It was also in 1989 that he started giving training courses on these same subjects.
Our best training
- VPN, wireless and mobility security, summary
- Cisco, implementation of MPLS solutions
- Fortinet, network security
