Security Risks – Business to Business VPNs
What are B2B VPN
Many companies need direct connectivity with other trusted organizations to do business. A cost-effective way to setup these connections is to create a business to business virtual private network also known as a B2B VPN. VPN is a technology that allows for two geographically separate networks to connect and share data across insecure networks like the Internet. B2B VPN tunnels often use the IPsec suite of protocols to establish, secure and maintain these connections.
IPSec VPNs work in two phases. The first phase is to establish a secure way to communicate over the Internet or other unsecured network. In this initial phase, VPN gateways located at each end utilize the Internet Key Exchange (IKE) protocol to create and secure the initial communication path. There are several settings used by IKE that the gateways on each side of the tunnel must exchange and agree upon before the initial communication path can be established.
In phase two, settings are exchanged between the VPN gateways to create and secure the actual tunnel that will carry the data traffic. Once the phase two settings, such as hashing, encryption and lifetime settings are exchanged, and both sides of the VPN agree, then the tunnel is ready to send and receive network traffic in a secure way on the untrusted network.
Figure 1 Image from Ciscopress.com
Complexity and Communication
For a VPN tunnel to establish secure connectivity and transmit data, both sides must agree on security settings during the two phases of VPN negotiation. If there is a mismatch anywhere in the sequence, the VPN connection will not be established. Often VPN gateway vendors, like Cisco, Fortinet or Palo Alto, utilize different setting types, configuration parameters and naming conventions. Getting two company’s IT security personnel to communicate and agree on VPN tunnel configuration parameters can become a major roadblock. These issues slow down critical projects, cause headaches for staff that rely on the VPN connection and increases IT employee/vendor labor costs. To get around this, companies often develop proprietary configuration forms/diagrams and then attempt to email then back and forth until everyone agrees on what settings should be used. Lack of effective communication can increase the amount of time it takes to complete VPN tunnel setup by weeks, costing the company in lost productivity and delayed business initiatives.
Security Risks
When data and server access through the B2B VPN tunnel becomes complex, novice and untrained security personal can inadvertently enable connectivity to networks and systems not required by the connected entity. VPN tunnel access configuration can be complex, and it is very common for engineers to cut corners in the attempt to just “get it to work” and inadvertently provide the connected entity access to ports, IP addresses, servers and data not required or approved. These types of mistakes open huge security risks for both organizations. Often these security holes can be out there for years without anyone knowing until they are found and exploited by hackers. In addition, once the tunnels are setup, it is common for them to be forgotten and final configuration changes not documented properly. Some organizations have hundreds or even thousands of B2B VPN tunnels and without proper documentation it becomes impossible to effectively manage VPN security or even know if you have a potential problem. As security technologies change, it also becomes impossible to keep the most current encryption and hashing algorithms up to date to make sure hackers cannot intercept, decode and steal your valuable company data.
Remediation of Risk
There is a prescriptive method that can be used to identify and remediate the types of security risks described above. Depending on the number of B2B tunnels your organization has, it can take anywhere from a week to several months to identify, document and remediate security problems within your B2B VPN environment.
Basic steps are:
- Audit and Document. Audit all devices where VPN tunnels are configured to document the configuration, security settings, server/data/port access allowed and remote company/termination points.
- Identify and Validate. Refer to your current documentation to determine if the VPN is valid and still required. For tunnels not documented, work with your internal IT staff and business departments to verify each tunnel’s validity. Contact the remote companies to discuss connectivity with their IT and business departments.
- Shutdown Unvalidated Tunnels. Shutdown any tunnels that cannot be validated. It is recommended to keep the tunnel configuration and shut it down within the software first, so it can be re-enabled quickly if found to be valid at a later date. If there is no business impact within 2-3 weeks of shutting a tunnel down, you normally can remove it from the VPN gateway configuration.
- Upgrade Security Technology. Analyze all remaining tunnels to make sure they are at the latest security levels. Upgrade the configuration of any tunnel that is not in compliance with the recommended security levels. This will involve contacting the company at the other side of the tunnel and coordinating configuration changes on the VPN gateways on both sides simultaneously.
- Document, Document, Document. Once you have gone through all the work of securing your B2B VPN environment make sure to clearly and consistently document all active connections. Use a cloud hosted or internal documentation system that provides consistency and availability in the event IT security or management leave the company. This information should be safeguarded and be part of your overall cybersecurity plan.
VPNinform – Cloud-based B2B VPN Management Platform
VPNinform is a secure, cloud-based collaboration platform created by 3KeyLogic that is designed to enhance business-to-business VPN connection security. It incorporates security best practices and guidance for VPN tunnels to reduce security risks. An encrypted and easy to use web-based platform supports your IT security team with a real time collaboration and workflow automation tool saving time and keeping unencrypted network diagrams and contact information out of email while providing a high level of visibility to security and compliance teams.
Benefits:
Secure Collaboration. Negotiate B2B VPN tunnels with secure communication. Stop sending insecure emails of documents and diagrams filled with network information.
Automatic Documentation. VPN documentation and diagrams are created and kept within the system, updated automatically and always complete and accessible.
Audit Logging. All activity and changes are logged. Saved diagrams leaving the system are marked with the date, time, and user who downloaded them.
Reporting and Visibility. The system provides reports and visibility into your B2B VPN environment. Information like how many connections, who they terminate to and which tunnels are using old security protocols are easily accessible.
Tunnel Advisor. Cyber security guidance is built into the product. Secure defaults are provided to help get B2B VPN tunnels up and running quickly by providing advice on tunnel configurations.
Workflow Automation. Effortlessly implement workflow for peer review and security review before any tunnel is approved for implementation.
Try it out here: www.vpninform.com