By Michael Hatalla
We often hear from our business customers that their employees are working remote or outside of the office on a more regular basis. Whether home or a local coffee shop, these employees need a safe way to access corporate data securely.
There are a few ways to accomplish this. If your company has a proper firewall in place, most will support either an SSL VPN or IPSec VPN solution.
VPN stands for Virtual Private Network. A VPN is an encrypted connection, or tunnel, between your computer and the firewall at the office over the internet. This type of connection makes it appear that the user is on their local network, regardless of their location.
As more and more businesses allow their employees to work from home or remotely, VPN’s are becoming more and more important to keeping corporate data and applications secure.
For a company to setup an VPN, they can purchase a stand-alone VPN appliance; a multifunction device, such as a next-generation firewall or unified threat management firewall that offers VPN capability, or as a service, using a virtual VPN device.
This decision is often made at the recommendation of their IT staff or provider. These solutions can vary in price and functionality, depending on the technology used and the size of the implementation.
A properly implemented VPN solution not only allows a secure connection, but will utilize the employee’s credentials to permit or deny access to systems once they are connected securely to the network. This is very important for all organizations, as there may be certain applications, or data stores that are sensitive and that you may not want all users to have open access to.
Using HR as an example, one could grant all HR staff remote access to the employee files, but a remote sales person would be denied access to these files, simply by their login credentials. In this way, companies can also allow consultants to work on projects by giving them VPN access to only the project files they need access to. This allows the internal staff to easily exchange project files with the external consultants and vice versa in a secure manner.
The bad guys
The reason why VPNs are so important today is due to malicious parties that are looking to steal your data or your client’s data. It seems every week another Fortune 500 company has suffered some type of data breach, the most recent being Facebook announcing that 50 million users’ data had been compromised. Whether you work for a Fortune 500 company or a company with five employees, you are likely going to have access to user data that my include personally identifiable information, which could be used by hackers to steal identities.
One of the most common attacks and one that has been around for a long time is called a “man in the middle” attack. The premise is simple: a bad guy inserts himself into the middle of a conversation between two parties, and relays each other’s messages without either party being aware of the third person. In an internet context, this means that middle party has the ability to read everything sent by either party and also alter it.
Here’s an example of how a “man in the middle” attack plays out. Let’s say “Joe” sets up a fake wireless access point in a public location; a coffee shop for example. He gives the fake access point a legitimate sounding name such as ‘coffeeshop_free_wifi’ and before long, customers are starting to connect to that access point instead of the legitimate one.
At that point, Joe has inserted himself into the data stream between your device and the internet at large, and can capture all of your traffic. If you’re not using encryption, that also means Joe can now read all of your traffic and potentially modify it. However, if you are using a VPN in this scenario, even if you’ve connected to Joe’s fake access point, Joe will only be able to see your encrypted data; which will be unreadable and of little use.