Do you use a secure VPN with MFA?

Updated by Brady Stroud [SSW] 1 year ago. See history

123

If you have a Remote Access VPN, it is important to ensure that the VPN is secure. VPNs are a common point of attack in cyber security incidents - if a bad actor can get into your VPN, they're in your network. These days, the most important way to secure your VPN is to use MFA. The best way to set this up will depend on the VPN and current MFA solution you are using.

It is also important to make sure that your VPN uses a secure protocol. Previously PPTP was a popular method, but this is now a deprecated service as it can be hacked very quickly using online tools. It is recommended to go with a provider that uses SSL or IPSec protocols.

❌ Figure: ![Bad example: PPTP should not be used, it is old and no longer secure](/uploads/rules/do-you-use-a-secure-remote-access-vpn/vpn-pptp.png)

✅ Figure: ![Good example: Cisco AnyConnect configured with Azure AD SSO and MFA](/uploads/rules/do-you-use-a-secure-remote-access-vpn/cisco-vpn.png)

✅ Figure: ![Good example: Fortinet have their own MFA solution for VPN, FortiToken](/uploads/rules/do-you-use-a-secure-remote-access-vpn/fortitoken-vpn.png)

More information on Cisco AnyConnect

If you're using Cisco AnyConnect and Azure AD, it is easy to set up authentication through SAML - so your Azure AD MFA will be applied to any VPN logins.

The basic steps are:

  1. In Azure AD, setup AnyConnect as an Enterprise application
  2. In Azure AD, add the users that you want to have VPN access
  3. Configure your Cisco ASA to use SAML for VPN authentication
Image

Figure: Adding Cisco AnyConnect as an Enterprise Application in Azure AD

For more information, see Cisco's documentation here.

Categories

Rules to Better Internet and Networks
acknowledgements
related rules