Blog post

Introducing new guidance on Virtual Private Networks (VPNs)

Created:  01 Aug 2017
Updated:  01 Aug 2017
Author:  Andy P
virtual private networks

To help you decide on your approach to using a VPN for remote access, we have just released our new VPN guidance.

We know many of you struggle with the multitude of configuration options and products available when making decisions on VPN use, and we've received questions on Twitter too. So we've taken the opportunity to add to our existing EUD content with some additional VPN-specific recommendations. 

Aimed primarily at enterprise administrators and risk owners, the new guidance should help you to understand the characteristics of VPNs, and their implications in terms of risk.

We've also clarified our position on a number of points, including the choice of protocol used by VPNs and whether to used forced or optional routing for your data. These should help to explain why our per-platform EUD security guidance makes the recommendations it does.

As always, if you have any feedback on our guidance, please use the Contact Us page to get in touch.

11 comments

Chris Elliott - 03 Aug 2017
This is really useful- thank you for the updated guidance. I am interested in whether you have any views on what we should do in our organisation as our particular VPN product doesn't support either Foundation or PRIME. It looks like it supports Foundation but only for IKEv2 - is there any risk to be aware of for this? Also, should we go for AES-128 or 256? We have had conflicting advice on which is preferable. Many thanks!
Andy P - 07 Aug 2017
If you can’t get either of those profiles configured exactly in your product, try and get as close to either of those profiles as possible to minimise risk. In particular, one combination we see often is to use IKEv2 with the algorithms specified for Foundation, which is a reasonable thing to do. In any case, using either AES key length is fine too.
Martin - 08 Aug 2017
The Guidance says "Helpers are available as a third-party application for some other platforms, such as Windows 10." Can you give some examples as a quick Google didn't turn up any.
Andy P - 09 Aug 2017
Hi Martin. Feel free to get in touch with us about your request via www.ncsc.gov.uk/contact and reference the blog and guidance. We can then contact you directly.
Tony B - 10 Aug 2017
First thanks for this website and the blog - it's the first time I've come across security related information that recognises that not all businesses are run on 1000s of Windows machines linked via ethernet in a soulless office building on the outskirts of Slough! Perhaps inevitably though it is still largely directed at "enterprises" and this idea of a mandatory VPN == Good Practice is an example of something that is hard for smaller businesses to deal with. In my small business pretty much all our software is browser based (https obviously) except Google Drive for sharing files. Therefore we don't have an internal network or servers running SMB etc. I suspect that if we tried to install a VPN in our office we would probably be opening up a much larger attack surface with the only benefits being points 6 and 7 in your Why use a VPN? list (i.e. traffic monitoring). Do you have any suggestions for smaller businesses? Can we get the benefits of traffic monitoring without using a VPN?
Andy P - 16 Aug 2017
Hi Tony, You raise a good point about the challenges and marginal benefits of using a VPN in small businesses. The use of cloud services is clearly important to many organisations of that size, and they may not even have a “core network” to VPN back into. There’s a few options available to such organisations, including: • Using a proxy server instead of a VPN to audit web browsing traffic, and enforcing its use by policy; • Extracting usage logs from your cloud services; • Using EUD client configuration or third-party apps to block unwanted content; • Using BYOD-like container apps to provide secure enterprise connectivity. An Always on VPN might not always be the best solution for some scenarios. If only a couple of the reasons we highlight for using a VPN matter to you then some of the benefits an AoVPN provides may not be needed, and other approaches would be fine too. In the longer term, it’s likely that many other organisations will move to having very little infrastructure themselves and will need to adopt this way of working. Google have done some studies on how this is likely to work with their BeyondCorp projects (https://cloud.google.com/beyondcorp/) which makes for interesting reading. We’ve already blogged about some of the benefits of this approach, including allowing you to spend your local security effort on problems unique to your own organisations, than worrying about patching and maintenance of your own services (https://www.ncsc.gov.uk/blog-post/debunking-cloud-security-myths).
Kevin - 20 Oct 2017
I have a home PC which is connected to the router, adjacent to my PC by WIFI. My antivirus software provider Norton has advised about KRACK and wants me to download and install their VPN. I do not have the IT technical skills to understand what VPN is or how KRACK might affect my single PC. Therefore I am loath to install a VPN from any provider in case it makes changes to by PC and how it operates that I don't understand. If I connect my PC to the router by cable will that help prevent the problem.
Andy P - 23 Oct 2017
Our VPN guidance is really aimed at businesses enabling remote working for employees using a VPN, rather than your use case as a home user. In your case, have a look at our guidance on KRACK (https://www.ncsc.gov.uk/krack). Whilst using a commercial VPN service might help reduce the risk of someone nearby reading your data, as you say - using a network cable instead of WiFi would too. You can also see if your devices (including the router) can be updated to fix the vulnerability. Also have a think about how likely it is that someone is going to target you for attack, and what the impact of the attack would be. Only attackers close to your network can attack you and secure web browsing is not affected, so you might decide there’s not enough risk left to worry about.
Tom Davey - 23 Oct 2017
I understand your VPN guidance is aimed at business users but do you have any guidance for the many users who access bank accounts etc. from external wifi networks in cafe's etc.? Is it worth the expense of using paid-for VPN apps in your opinion as I think thousands of private users have installed policys that automatically join BT, O2 GiffGaff etc and may believe they are safe.
Alan - 24 Oct 2017
When validating the VPN connection, does NCSC recommend a physical 'hard' token, such as RSA, or can software based 'soft' tokens be used to authenticate? Some soft tokens can be installed on the device which will be used for the VPN connection so is convenient, but does that create other security issues? Asking for a friend. ;)
Isaiah - 03 Nov 2017
Hi, I'm part of a small company and recently was thinking about installing some third party vpn software onto my laptop to allow me to work from cafes and other public places without the fear of being hacked and having my data stolen. However I was discussing this with a friend yesterday and they claimed that vpn were illegal to use for private use since November last year but when I googled if they were or not I found out that they were not illegal and now I am rather confused. Can you please shed some light on this subject in regards of legality of vpns and whether they will remain legal in the future? I look forward to your response, kind regards, Isaiah.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No