@RubenDF wrote:
I'd like to have your input related with the inspection of VPN traffic. I am currently performing a review of some VPN tools used in a company and what I've seen so far is that unencrypted VPN traffic is not inspected.
Ruben,
You have identified one aspect of an important issue. I suggest you take a step back to analyze several parts of your company's security policies and practices. Consider the following topics:
1. Management of encrypted traffic, to include your own enterprise VPN server supporting external communications, external server to internal computer https or TLS, internal computer VPN client to external VNP host, and encrypted peer-to-peer connections from within your enterprise.
2. Policies on traffic inspection: what, when, how much, log storage and delayed inspection versus real-time flagging, etc.
3. Management of enterprise employee devices and configurations used for external communication back into the enterprise: BYOD? Only enterprise owned and issued devices? Configuration control? Important, as Rachel @AppDefects pointed out, policy and enforcement on split tunnels on external devices.
4. What are your employee privacy policies and implementations, especially for legally protected data such as Privacy Act and HIPPAA communications?
5. Are you subject to laws that either mandate or restrict access to certain information flowing in the traffic, such as GDPR, CCPA, others?
Your initial question does not have enough context detail to really answer your question, but I would ask a couple of questions:
What inspection do you do of data arriving at your enterprise boundary that is not encrypted?
For your enterprise boundary VPN gateway, do you at least provide the same level of inspection to the decrypted traffic that you apply to unencrypted traffic?
Good luck. You have identified an important area of InfoSec that requires knowledgeable work by IT techs, infoseccers, lawyers, and compliance officers.
Stay healthy!
Craig
