By Jack R. Weiner, Network Engineer, Rush Copley Medical Center
Tuseday, December 5, 2017
Many of us have the task of connecting our network to trusted vendors and partners. While this will make it easier for business to get done, it can also open us to threats. Remember the Target hack? That was the worst possible result for a point-to-point VPN. Target had set up a VPN between their network and a small HVAC vendor, who only had one IT person on their staff. This was the vector which the hackers exploited to access the Target network.
There are several preventative measures you can take to make your network as secure as possible.
1. Define the networks on each side to the smallest size possible.
In PAN-OS, these are the Proxy IDs. The best possible case would be individual IPs for the local and remote addresses. Often you will be asked, or pressured, to include larger networks to make things “easier.” Do not do it. Narrowly defining the scope of the VPN narrows the scope of the threat to your organization.
2. Define the allowed applications as narrowly as possible.
In the rules for the tunnel traffic, define the applications and make sure that you are using application-default. As above, it will be “easier” to open the rules up. It can make it “easier,” just a lot less secure. I will often start with only one or two applications allowed, and then observe the traffic and add applications as needed.
3. Monitor and remediate.
Any security policy needs to be continuously monitored and tweaked. Constant monitoring is the key to any successful security policy. As mentioned above, I will monitor and add applications as needed for the business need, but will often ask the other side why I am seeing questionable traffic coming my way. By questioning possible bad traffic, you end up helping your vendor/partner with security as well.
One difficulty I have experienced with point-to-point VPNs is being at the mercy of the other engineer since you do not control both sides. Most of the time I have no problem working with others, but on occasion, I have worked with engineers who, for various reasons, were difficult. This can be due to inexperience, workload, or other reasons. While these variables make it challenging, do not use it as an excuse to loosen your security. In the final analysis, your organization’s security is worth more than the possible loss of a few days’ productivity.
VPNs, or firewalls for that matter, do not exist in a vacuum. We use several other security technologies in a layered approach, to provide as secure an environment as we possibly can. Our Palo Alto Next Generation Firewalls (NGFWs) are certainly a backbone of our security efforts, but they are not the only tools in our toolbox.
I have been very lucky to have the support of management in my organization to make sure we configure point-to-point VPNs in the most secure manner as possible. This has allowed us to continue to work in a framework of security policies which promote the safety of our network, and our data, above all else.
Jack Weiner is a Fuel User Group member and Network Engineer at Rush Copley Medical Center. He has worked in the IT arena for 20+ years, including teaching the Cisco Networking Academy in the Chicago Public Schools. He has been with Rush Copley for the past 13 years.
Earlier this year, Jack presented on point-to-point VPNs at the Spark User Summit in Chicago. Visit the Fuel events page to learn about future Spark User Summits, or click the button below.