Blog post

Introducing new guidance on Virtual Private Networks (VPNs)

Created:  01 Aug 2017
Updated:  01 Aug 2017
Author:  Andy P
virtual private networks

To help you decide on your approach to using a VPN for remote access, we have just released our new VPN guidance.

We know many of you struggle with the multitude of configuration options and products available when making decisions on VPN use, and we've received questions on Twitter too. So we've taken the opportunity to add to our existing EUD content with some additional VPN-specific recommendations. 

Aimed primarily at enterprise administrators and risk owners, the new guidance should help you to understand the characteristics of VPNs, and their implications in terms of risk.

We've also clarified our position on a number of points, including the choice of protocol used by VPNs and whether to used forced or optional routing for your data. These should help to explain why our per-platform EUD security guidance makes the recommendations it does.

As always, if you have any feedback on our guidance, please use the Contact Us page to get in touch.

6 comments

Chris Elliott - 03 Aug 2017
This is really useful- thank you for the updated guidance. I am interested in whether you have any views on what we should do in our organisation as our particular VPN product doesn't support either Foundation or PRIME. It looks like it supports Foundation but only for IKEv2 - is there any risk to be aware of for this? Also, should we go for AES-128 or 256? We have had conflicting advice on which is preferable. Many thanks!
Andy P - 07 Aug 2017
If you can’t get either of those profiles configured exactly in your product, try and get as close to either of those profiles as possible to minimise risk. In particular, one combination we see often is to use IKEv2 with the algorithms specified for Foundation, which is a reasonable thing to do. In any case, using either AES key length is fine too.
Martin - 08 Aug 2017
The Guidance says "Helpers are available as a third-party application for some other platforms, such as Windows 10." Can you give some examples as a quick Google didn't turn up any.
Andy P - 09 Aug 2017
Hi Martin. Feel free to get in touch with us about your request via www.ncsc.gov.uk/contact and reference the blog and guidance. We can then contact you directly.
Tony B - 10 Aug 2017
First thanks for this website and the blog - it's the first time I've come across security related information that recognises that not all businesses are run on 1000s of Windows machines linked via ethernet in a soulless office building on the outskirts of Slough! Perhaps inevitably though it is still largely directed at "enterprises" and this idea of a mandatory VPN == Good Practice is an example of something that is hard for smaller businesses to deal with. In my small business pretty much all our software is browser based (https obviously) except Google Drive for sharing files. Therefore we don't have an internal network or servers running SMB etc. I suspect that if we tried to install a VPN in our office we would probably be opening up a much larger attack surface with the only benefits being points 6 and 7 in your Why use a VPN? list (i.e. traffic monitoring). Do you have any suggestions for smaller businesses? Can we get the benefits of traffic monitoring without using a VPN?
Andy P - 16 Aug 2017
Hi Tony, You raise a good point about the challenges and marginal benefits of using a VPN in small businesses. The use of cloud services is clearly important to many organisations of that size, and they may not even have a “core network” to VPN back into. There’s a few options available to such organisations, including: • Using a proxy server instead of a VPN to audit web browsing traffic, and enforcing its use by policy; • Extracting usage logs from your cloud services; • Using EUD client configuration or third-party apps to block unwanted content; • Using BYOD-like container apps to provide secure enterprise connectivity. An Always on VPN might not always be the best solution for some scenarios. If only a couple of the reasons we highlight for using a VPN matter to you then some of the benefits an AoVPN provides may not be needed, and other approaches would be fine too. In the longer term, it’s likely that many other organisations will move to having very little infrastructure themselves and will need to adopt this way of working. Google have done some studies on how this is likely to work with their BeyondCorp projects (https://cloud.google.com/beyondcorp/) which makes for interesting reading. We’ve already blogged about some of the benefits of this approach, including allowing you to spend your local security effort on problems unique to your own organisations, than worrying about patching and maintenance of your own services (https://www.ncsc.gov.uk/blog-post/debunking-cloud-security-myths).

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No