cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
RubenDF
Newcomer I

Unencrypted VPN Traffic Inspection

Dear colleagues,

 

I hope you're doing well.

 

I'd like to have your input related with the inspection of VPN traffic. I am currently performing a review of some VPN tools used in a company and what I've seen so far is that unencrypted VPN traffic is not inspected.

 

Considering that firewall capabilities when it comes to inspecting encrypted traffic are limited, do you think that makes sense to review the traffic unencrypted by the VPN appliance / server?

 

Relevant to say is that these VPN tools are used not only used by employees (with company laptops) but also by third parties, for which the company has no control at all over the devices used (e.g., no 'health checks' on antivirus, patches, etc.), and even in some cases, access to the network may not be properly restricted to the minimum resources required.

 

Any feedback is welcomed!

 

Thanks!

 

Regards,

4 Replies
AppDefects
Community Champion


@RubenDF wrote:

Dear colleagues,

 

I hope you're doing well.

 

I'd like to have your input related with the inspection of VPN traffic. I am currently performing a review of some VPN tools used in a company and what I've seen so far is that unencrypted VPN traffic is not inspected.

 


It never ceases to amaze me how some IT shops configure their VPNs. Throw the audit findings book at them. Get them to change. Encrypted everything. Just say no to split tunneling!

 

 

CraginS
Defender I


@RubenDF wrote:

 

I'd like to have your input related with the inspection of VPN traffic. I am currently performing a review of some VPN tools used in a company and what I've seen so far is that unencrypted VPN traffic is not inspected.

Ruben,

You have identified one aspect of an important issue. I suggest you take a step back to analyze several parts of your company's security policies and practices. Consider the following topics:

1. Management of encrypted traffic, to include your own enterprise VPN server supporting external communications, external server to internal computer https or TLS, internal computer VPN client to external VNP host, and encrypted peer-to-peer connections from within your enterprise.

2. Policies on traffic inspection: what, when, how much, log storage and delayed inspection versus real-time flagging, etc.

3. Management of enterprise employee devices and configurations used for external communication back into the enterprise: BYOD?  Only enterprise owned and issued devices? Configuration control? Important, as Rachel @AppDefects pointed out, policy and enforcement on split tunnels on external devices.

4. What are your employee privacy policies and implementations, especially for legally protected data such as Privacy Act and HIPPAA communications?

5. Are you subject to laws that either mandate or restrict access to certain information flowing in the traffic, such as GDPR, CCPA, others?

 

Your initial question does not have enough context detail to really answer your question, but I would ask a couple of questions:

What inspection do you do of data arriving at your enterprise boundary that is not encrypted?

For your enterprise boundary VPN gateway, do you at  least provide the same level of inspection to the decrypted traffic that you apply to unencrypted traffic? 

 

Good luck. You have identified an important area of InfoSec that requires knowledgeable work by IT techs, infoseccers, lawyers, and compliance officers.

 

Stay healthy!

 

Craig

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
RubenDF
Newcomer I

Hi Craig,

 

Thanks for your input!

 

Let me give you a bit of context of where this is coming from. Due to the Covid-19 situation, we thought it was relevant to take a look at the technologies and systems that were allowing us to work from home, being VPN one of them. The idea of the review was to ensure that they were securely configured (privacy concerns have not been considered as part of the assessment).

 

Some additional information:

 

  • Internet traffic hits the perimetral firewall before being routed to any internal resource
  • As far as we know, decrypted VPN traffic is not inspected (this is the origin of my question)
  • No BYOD is allowed but, as mentioned, third-party devices (with no control from us) are allowed to VPN (after an account has been set up, of course)
  • Split tunnelling, interesting topic. Forbidden by policy, but allowed in most of the cases (even there are some compensating controls such us the use of cloud web proxies, etc.).

The idea was to have an understanding from experienced Infosec people if it makes sense (no matter which internal policies we have) to inspect decrypted VPN traffic (always, only if we are doing the same for internal unencrypted traffic, etc...)

 

Regards,

 

Ruben

RubenDF
Newcomer I

Thanks @AppDefects!

 

Split tunelling is always interesting... Forbidden by policy but configured in most solutions due to 'operational' constraints...