The current COVID-19 epidemic is changing the way people work, rapidly moving to working remotely as I have done for 20 years. I am providing this advice for smaller businesses that should leverage virtual private networks (VPNs) to enhance your security. This by no means should be all you rely on, but could be a simple, cost-effective way of adding an additional layer to your security posture in this changing environment.
VPNs offer great protection. Beyond the main discussion of this article, they are the second thing I generally recommend after using a password manager. As a supporter of internet privacy, I am especially concerned about internet service providers (ISPs) snooping on our online activity for profit. For this privacy protection alone, there are also browsers such as Opera.
Types of VPNs
The two more common VPN setups that internet users may be used to are larger corporate installations such as we use here at Sucuri. All large corporations provide these to allow remote working and to protect data in transit between sites. Then there are the commercial and free VPN products, which protect your browsing. You might use these while traveling for privacy and security. Or you might want to switch your location to access content normally restricted in your region, or to bypass political censorship, or maybe some other country has a better version of their streaming video service.
Corporate VPN setups are an expensive item, requiring considerable support to ensure employees are able to connect to their applications and data. They supply static IP addresses to their clients, whereas commercial VPNs do not provide the client with a static IP but do provide the protection of data in transit.
What is a VPN’s static IP address?
The static IP address provided by the VPN is, in effect, an additional credential when connecting to a resource. It also encrypts the connection, which provides security and integrity. Our Web Application Firewall (WAF) leverages this for web applications — you might see the setting “Allow only whitelisted IP addresses access to admin pages”— which is a standard feature. Often this feature of allowing only whitelisted IPs can be burdensome if working from a mobile connection or a home cable ISP. It is rare they would provide a static IP, requiring constant checking if the IP address has changed, and then whitelisting that IP address, on maybe more that one website. We suggest the use of a passcode or 2FA in addition to their applications login credentials if this is the case.
But you may need access to many applications, such as email, database or file servers, where there are few options to add an additional layer of security for those working remotely. While they might not have a 2FA option, they will nearly always have an option to restrict access to a static IP. Commercial VPN products, which do not generally provide static IP addresses, are of no help here.
Adding an additional layer of protection
But you can set up a VPN server for you and your coworkers to use to add this additional layer of browser security and provide a static IP address to be whitelisted across your remote applications. This may be setup in your office or using a VPN or dedicated hosting server. These VPN server applications are nearly all built on Linux, with many being open source. There is a list maintained on Github. For myself, I tend to use an adapted version of this simple script that only takes a few minutes to set up.
Connecting to VPN servers
There are VPN clients that will connect to the VPN servers that are available for all devices and operating systems. You will find them in your app store for your device. Many will be from the same authors as the server applications, although versions of both the client and server are generally agnostic.
A good, well-supported product that I often recommend is WireGuard. Personally, I use OpenVPN Connect as I tend to use OpenVPN servers.
Many home routers will have an option to connect to a VPN server, encrypting all internet use, negating the need to add client software on every device. There are often options to “route” traffic for certain destinations through the VPN, and bypass it for other purposes (Netflix can use a lot of data!).
Cloud-hosted VPN servers
If most resources are within your infrastructure, the VPN server could stay within a server within your office. Better yet, use an office router which may have a VPN server that can also be used instead of setting up a dedicated VPN server. But if most of your company’s resources are cloud based, as is becoming more popular, it often makes more sense to also host the VPN server in the cloud.
You should keep in mind that a VPN with a static IP address does not offer the same privacy that commercial VPNs provide, masking your location, and any browsing while it would be encrypted, as you have a static IP address it could be traced back to you.
Use a VPN and be more secure when browsing the internet
These days, as more people need to work from home, it is important to take some security steps to make your daily job happen more smoothly. Using a VPN can add another layer of security to your new work environment. We can keep this conversation going in our social channels @sucurisecurity. Stay safe!