On the other hand, if the VPN is open to third parties, such as vendors or business partners, you may wish to consider placing these users in a dedicated, restrictive zone that limits their network access to the specific resources they must access to meet business requirements. This can be done by terminating the VPN connection in a firewall zone that explicitly controls the types of traffic that may cross from the VPN into your corporate network.
One solution I've seen used in many enterprises is to set up two or three different VPNs, designed for different uses. This can often be done with a single VPN appliance that provides role-based access. For example, you might set up the following groups on your VPN:
- System administrators
- Site-to-site VPNs
You can then assign different network privileges to each of these roles depending upon their business requirements. For example, you might grant the system administrators the ability to create administrative connections to servers using the SSH protocol, while vendors and regular employees would be denied that access.
Dig Deeper on VPN security
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading