Due to the COVID-19 pandemic, more employees are working from home now more than ever before. According to a Stanford study, an incredible 42 percent of the U.S. labor force now works from home full-time. Unfortunately, cyber criminals have quickly picked up on this and begun to prey on remote workers who haven’t been properly equipped to work remotely in a secure fashion.
Suffice to say, this new reality needs to be met with changes that directly address our new work from home culture. The main concern for organizations moving forward is to maintain network security, which has rightfully led many companies to utilize VPN to protect their remote workers. However, remote access VPNs are often highly trusted devices, being given access to all sorts of company data.If compromised, cyber criminals may have access to the sensitive information.
VPN is a great first step, but it’s not an airtight security measure all by itself. When trusting your employees with company data, it’s important to take every precaution into consideration. To be truly secure using your home network, the best method available is using secure 802.1X RADIUS authentication to access the VPN.
Why Use a VPN for Remote Access?
Virtual Private Networks (VPN) are designed to protect your online identity by connecting your device to a secure server rather than your typical ISP. The goal is keeping your private information private. VPNs encrypt web traffic so no one is able to see your data, whether it’s a hacker, corporation, or government.
The primary reason organizations implement VPN isn’t actually for the encrypted tunnel or traffic masking that a VPN provides – it’s usually to allow remote devices to be “virtually present” so they can connect to the on-premise network and the resources contained therein. This setup is called a VLAN (Virtual Local Area Network).
The issue stems rom employees having access to company data at home. Every employee becomes a potential starting point of attack through negligence if not malicious intent. This is one reason that group policies are so important. Employees need to be categorized into groups that have different levels of permissions – to limit the damage any one user could potentially cause.
In normal circumstances, group policy and user segmentation is handled in the background by the RADIUS. However, depending on the configuration and capabilities of your firewall and access points, this infrastructure may not be operating correctly. Indeed, some VPNs don’t have the ability to reference your user directories at all.
RADIUS Authentication With VPN for Secure Remote Access
The solution to potential security lapses of VPN is simple – use your RADIUS for VPN authentication.
Yes, you can use your organization’s RADIUS to authenticate remote users. By configuring the VPN to connect to your office access point, the remote device can be “virtually” present and be authorized even by an on-premise RADIUS, though Cloud RADIUS services are easier and more secure.
The benefits of using your RADIUS in conjunction with VPN for remote access are twofold:
- It’s more secure. After the VPN connects to your office access point, the users undergo RADIUS authentication for network and resource access. Doubling up on protection keeps your traffic safe at all stages of the process.
- If your firewall, access point, or VPN doesn’t support user attributes or directory referencing, you can still use your RADIUS to implement security policies.
In fact, using your RADIUS to authenticate your users instead of a VPN is the security best practice no matter the situation. You don’t leave your network security to a third party in normal circumstances – why would you start now? This method ensures that ultimate control is still in your hands.
How to Enable 802.1X VPN Authentication
The most secure iteration of RADIUS uses the EAP-TLS authentication protocol to authenticate users with digital certificates instead of credentials. Certificates eliminate the need for password-based authentication which in-turn eliminates the security risks usually associated with passwords. You no longer have to worry about the threat of phishing or MITM attacks and you have complete transparency over who is using your network. Just like E2EE, certificates encrypt private data so a hacker wouldn’t be able to do anything if they get a hold of the certificate.
While certificates can prevent the rampant amount of credential theft that targets VPN users, many sys admins are unclear about how to implement them. One of the main reasons is that Public Key Infrastructures (PKI)), which are required to implement certificates, were once incredibly complex systems to configure and manage.
To use certificates for VPN, you just need to do a couple things.
- Enroll end devices or security keys for Client Certificates
- Upload a Root or Intermediate CA on your Firewall, VPN Gateway, and RADIUS Server
If this seems at all difficult; SecureW2 is here to help. Our #1 rated VPN certificate enrollment software integrates with any SAML or LDAP directory and any VPN vendor. You can easily allow any end user to get authenticated and self-enroll their device for a certificate.
Once users have been enrolled for a certificate, the RADIUS server can use that to verify the level of permissions they have. You can create and customize group security policies to segment users into different levels of resource access, control who has access to Wi-Fi, VPN, and other company resources.
Cloud RADIUS especially is a great solution for VPN security. Check out our pricing page and we can get you set up with a state of the art VPN solution that ensures your companies resources stay private.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Eytan Raphaely. Read the original post at: https://www.securew2.com/blog/secure-radius-authentication/