The Covid-19 pandemic has forced many companies to use a VPN to enable teleworking. Problem: they weren't necessarily ready. The cause: the undersizing of servers, lack of training and bad practices. Telecoms expert and ORSYS trainer, Charlie Le Hoangan* discusses VPN, an essential device for companies' cybersecurity strategy.
While teleworking was still an isolated practice in France, Covid-19 caused businesses to take a decisive turn. In a few days, a majority of employees, mostly executives, able to work remotely saw their work environment moved to their homes.
However, to allow all its employees to stay at home while maintaining access to the internal network, a company only has one solution: the VPN. Already in place for some, others have had to readjust their system to the number of teleworkers... or even take an interest in it for the first time. “When the crisis arrived”, explains Charlie Le Hoangan, consultant and trainer at ORSYS, “Companies were not ready. They did what they could to adapt to teleworking when they were forced to do so and, in the rush, simply experienced logistical problems. »
Providing access to employees involves setting up a system both on company premises and on laptops.
What is a VPN?
VPN, or “Virtual Private Network”, is not a new technology. “We have had the technical means to implement teleworking for a long time. The problem comes more from resistance at the management level”, specifies Le Hoangan.
A VPN “ is used to provide private use of a public or shared network. In practice, the VPN allows the teleworker to access his company's network through the public network by creating a secure virtual pipe. » The idea is that teleworkers can access their company's tools, applications or servers as if they were physically present there.
Confusion between “on-site” VPN and “online” VPN?
VPNs are often thought of as online tools that allow you to become anonymous on the Internet. The confusion also surprises Charlie Le Hoangan: “The objective is not at all the same. What these “online VPN” services sell is anonymization; they allow the user who does not want to be spotted or traced to connect via a server acting as a relay. The term “VPN” in this case is purely commercial. »
Undersized VPNs?
The massive use of teleworking has often led to VPN sizing problems. Faced with this type of influx, server saturation is inevitable.
An effective and long-term VPN cannot be improvised. “To increase the number of accesses, the company is obliged to equip itself more heavily, with professional equipment and servers sized to support thousands of connections. We must therefore move from a simple installation of software for a handful of people to much more expensive equipment which no longer has anything to do with it. (…) The computing power required for encryption of communications is much greater and must be done with suitable machines. »
VPN in practice
At the company level
The first problem? Common misconceptions regarding security… “A VPN is not necessarily secure. Some techniques only do traffic separation. Using a secure VPN means that cryptology techniques have been implemented to, in a simplified way, encrypt the data so that it cannot be intercepted. »
For this, the company may have the solution of relying on an operator. Thus, to connect to the company network, teleworkers will go through the operator's systems. They are the ones who will separate the traffic. This is what we call “Trusted” VPN. But using this technique in a secure manner requires the company to also equip itself on site. That is to say, to begin with, have client software installed on your employees' computers. It will allow secure dialogue with the VPN servers installed on the premises (key exchange, cryptology, etc.). Once everything is in place, the teleworker will only have to activate the software installed on their laptop.
At the individual level
Individually, it's just as important to have some basic VPN best practices. “You have to remember that it’s a tool to connect to the business. From there, everything you do can impact the business. This means that you should only open the VPN for strictly professional use.. It must be cut for any personal use, and think also to cut it off at the end of his working day. Partition. An attack or intrusion through your computer while the VPN is running impacts the company's servers. »
When it comes to cybersecurity, awareness and regular training among employees are essential. And the VPN issue is no exception. Providing access to the VPN client to your employees means, after all, that you are expanding the space of the company's network. It no less needs to be secure under these conditions. A good, poorly configured or poorly used tool is no longer an asset but a risk.
Especially since, for Le Hoangan, the VPN is set to continue to be democratized with the practice of teleworking: “The health crisis and the resulting confinement made us understand that teleworking was becoming inevitable these days. However, anticipating the introduction of teleworking means having given ourselves the means to correctly develop, and in the most secure way possible, the tools that accompany it: an optimal configuration of VPNs, but also of firewalls, the installation of antivirus in communication systems, etc. » Because, in the end, the VPN is only one tool in a vast system to be put in place. And you have to start somewhere.
*Charlie the Hoagan
Telecom specialist consultant. After working for 10 years for large manufacturers, he created his own structure in 1989, through which he offers his consulting services in computer networks, and in particular in terms of security. It was also since 1989 that he began giving training on these same subjects.
Our best training
- VPN security, wireless and mobility, summary
- Cisco, implementation of MPLS solutions
- Fortinet, network security