Securing VPN With Two-Factor Authentication

What is VPN?

Virtual Private Network allows you to connect one or more computers to a private network most of the time via the internet. Even though this approach is not new, in recent years this has become more relevant mainly due to the new trends in the way companies work & more people want a greater level of online privacy.

Why one should care about VPN?

VPN allows you to connect to a private network securely and remotely. You can even link to different networks and servers in a secure way. It allows you to surf safely in a public wifi network, also helps prevent Man-In-The-Middle attack.

(Internet VPN-source: Wikipedia)

VPN tunneling ensures secure communication between systems. As the connection is encrypted, no one along the VPN tunnel can intercept, monitor, or alter your communications.

Where are the vulnerabilities?

It is said that no software is immune to vulnerabilities. Achieving the web security of you and your organization using a VPN is keeping your IP address hidden. But it is bothersome when you hear some news like Several privacy-busting bugs found in popular VPN services Or Authentication Bypass Bug Hits Top Enterprise VPNs. Though this was not good news such vulnerabilities occur every time in the cyber world. What’s important is how we identify and tackle such things.

Some VPN providers embrace your data

While it is also important that VPN providers should maintain full transparency because it is found that some VPN providers also hold onto your data. Most of the VPN providers claim that they do not maintain a log of your online session neither they maintain the logs for your IP addresses or servers used, websites visited or files downloaded but “no log” claims differ from one VPN provider to another.

Cloud VPN is more vulnerable

Today cloud technologies have given a huge amount of collaboration and convenience to the organizations but it has also brought security challenges for them. While using Cloud VPN solutions companies expose themselves and due to this, any hacker can gain access to their private data.

Credentials phishing

Credentials phishing is one rapidly growing attack in the cyber world, where a hacker steals credentials such as userID and password. Hacker displays himself as an authority and by the means of email or any communication channel he gets to know your credentials. If a hacker gets the credentials he can use them to get the sensitive info out.

How Multi-factor authentication helps secure your VPN?

Multi-factor authentication for VPN validates user identity with passwords and an additional layer of authentication (e.g. OTP over SMS/Email). That is why it is called multi-factor authentication. This provides greater identity assurance for a user who is accessing any resource via VPN. So with multi-factor enabled on your system, it prevents the hacker from accessing the resources even if they know your username and password. As you have an additional layer of authentication hacker has to pass that layer which is not possible. However, we need to understand that not all 2FA are the same and provide greater assurance of security. Many 2FA solutions are slow or complicated and therefore inefficient.

miniOrange can be of great value here by providing 2-factor Authentication on top of VPN Authentication. This secures access to protected resources instead of relying on only the VPN username/password. miniOrange uses the Remote Authentication Dial-In User Service (RADIUS) protocol. Communication between the client and the RADIUS server is authenticated and a shared secret is used, which is never sent over the network.

Radius Client Authentication Flow

Here the RADIUS client is nothing but the VPN. If you take a look at the steps then you can get an idea of how Two-Factor authentication is used with VPN.

1. The user enters the login credentials to the VPN.

2. RADIUS Clients sends the login details to miniOrange RADIUS server.

3. User details are checked with Active Directory.

4. When the AD finds the user it sends the response to miniOrange RADIUS server. First-factor authentication is completed here.

5. A challenge-response is sent to RADIUS clients for second Factor Authentication.

6. RADIUS client prompts the user with a 2FA challenge. (e.g.OTP over SMS/Email).

7. When the user validates himself with 2FA. The authentication response is sent to miniOrange RADIUS server.

8. After checking the response RADIUS server grants access to the user

This way it is ensured that no unauthorized person gets access to the VPN. miniOrange acts as a RADIUS server that takes username/password from the user and validates it with Active Directory (AD). After checking with the AD it prompts the user for Two-Factor authentication. If the user successfully completes the 2FA then the server grants the access.

Conclusion

These days organizations have become fully aware of the use of Multi-Factor Authentication for an extra layer of security along with VPN. Unauthorized access to your VPN is likely to cause more harm to the business. Two Factor Authentication adds a 2nd layer of authentication when you are gaining access to protected resources through a VPN and plays a key role in securing your network, data & resources.