Two-factor authentication for VPN connections

In order to further enhance the security of external connections to the internal resources of the corporate network, it is recommended to “strengthen” VPN connections with a two-factor authentication procedure. This can be done easily with Panda GateDefender .

VPN allows two separate local networks to directly connect to each other securely using potentially insecure networks, such as the Internet. All network traffic within a VPN connection is safely transmitted inside an encrypted tunnel, hidden from prying eyes. This configuration is called Gateway-to-Gateway VPN (Gw2Gw VPN). Similarly, a single remote computer located somewhere on the Internet can use a VPN tunnel to connect to the desired local area network. In this case, the remote computer, sometimes called Road Warrior, looks as if it is physically present on this local network as long as the VPN tunnel is active.
')
Such VPN capabilities are very convenient: in the era of BYOD and distributed information systems, secure VPN connections are a fairly simple and effective solution that allows secure access of remote and mobile employees to internal corporate IT resources (internal local network, database, file servers and etc.).

Panda GateDefender's UTM solution for protecting the perimeter of the corporate network allows you to solve this issue. The solution supports the creation of a VPN based either on the IPsec protocol, which is supported by most operating systems and network devices, or on the OpenVPN service.

The Panda GateDefender solution can be configured as an OpenVPN server or client (or can play both of these roles at the same time) to create a network of devices connected via OpenVPN. In short, the capabilities of the solution allow:

• configure the OpenVPN server so that clients can connect to one of the local zones
• configure the client part of the Gateway-to-Gateway scheme between two or more Panda GateDefender solutions
• configure IPsec-based VPN tunnels and L2TP connections
• manage VPN connection users
• Configure the certificates that will be used for VPN connections.

By themselves, VPN connections are secure enough to be intercepted and decrypted. But what to do if the attacker in some way (and there are a lot of them ...) found out the login and password for the VPN connection and / or even got remote (physical) access to the computer of your mobile or remote employee on his behalf to connect to a corporate VPN network? How can I increase the security of VPN connections?

Two-factor authentication

In this case, two-factor authentication (2FA) will help - this is a security process in which users must provide an additional temporary one-time password (TOTP) for more secure self-identification. This additional password is generated by a token or code generation device, or, as an alternative, by a special application installed on the user's smartphone.

Two-factor authentication increases the security of a VPN connection, since in this case, it requires not only a username and password, but also an additional temporary one-time code (TOTP) generated by the token. Therefore, the user authentication process is a combination of the data that the user already knows (username and password) and the data that the user receives separately (code generated by a token or TOTP-compatible application installed on the user's smartphone).

There is a wide variety of token devices and their manufacturers on the market. Each of them implements its own algorithm, but they all require the integration of their technologies on the server. Many of these manufacturers provide both hardware solutions ( physical tokens, generating codes ) and software solutions, such as smartphone applications that generate TOTPs .

To achieve interoperability between manufacturers, there is an open standard that can be used without the need for third-party software licensing. This standard was published in RFC 6238.

Installing a token on the user's device

Users can use any TOTP- compatible device or smartphone app. There are a huge number of free applications that support this standard, for example:



To generate TOTP codes, the user must set up an account in the application. There are two ways to set up an account for the Panda GateDefender solution:

• Manually create an account by copying the one-time password text code generated in the Panda GateDefender management console.
• Photograph a QR code generated by the GateDefender console using a smartphone camera.

The text code and QR code contain all the information needed to set up an account.
After the account has been configured, the token application will generate one-time passwords every 30 seconds. Since the password generation algorithm is based on the device clock, then no internet connection is required. However, there should not be much difference between the time configured in the GateDefender solution and on the user's device. The figure below shows the interfaces of some applications for smart phones to generate passwords.

Configuring two-factor authentication in GateDefender

Follow the steps below to enable two-factor authentication in the GateDefender solution:

• Add a one-time password authorization server.
• Define a new mapping to this server.

Adding a new one-time password authorization server

Go to VPN -> Authorization -> Settings and click the Add new authorization server link.



For the Type option, select One-time password . Then select Local (local) in the User Information Provider and Password Provider fields. Enter the name of the new authorization server in the Name field and click the Add button.



In this example, we used a local password provider to verify the username and password entered by the user. However, two-factor authentication also supports other types of password providers.

Defining a new mapping to the authorization server

After creating the authorization server, you need to configure a new mapping for one of the VPN types supported by GateDefender.
To add a new mapping to the authorization server, click on the icon corresponding to the type of VPN you want to configure.



In the new window, click the icon to add a new mapping to the authorization server. The new server will appear in the right pane. To remove the mapping, click the icon . To add or remove all mappings, click the Add All and Delete All links, respectively.

Setting up the 2FA service on the user's device

The figure below shows the configuration procedure:



• Create a new user in GateDefender and generate a QR code or key.
• Mail a QR code to the user or print it out and send it manually. If the user does not have a camera on the smartphone, then give him the text code.
• The user must scan the QR code (enter a text code) using the TOPT-compatible application installed on his smartphone.
• The application will be able to generate access codes.

Creating a new user in GateDefender and generating a QR code or text code

Go to VPN-> Authorization-> Users and click Add New Local User .



When adding a new user, click then Show QR Code . Send the code in text form to those users who do not have an application on their smartphones to read QR codes so that it can be scanned.



To download the QR code from the GateDefender console, simply right-click on it and select the Read QR code from image option in the context menu.



Sending a QR code (text code) by mail to the user or printing and sending it manually

After you have downloaded the QR code (copied the text code), you can send it to the user by email or print it and transfer it to him manually.

User scanning of a QR code (text code entry) using a TOPT-compatible application installed on his smartphone

After receiving a QR code or a text code, the user must import it into the TOPT-compatible application.
You can cancel the previously set up account on the user's smartphone by generating a new text code or QR code and scanning it using the application.

User connection

After the two-factor authentication has been enabled, the user connection process will change: the user will be required to provide a valid code generated by the token when connecting with his VPN account. The process is shown in the figure below.

Conclusion

In our article, we examined the case when it was necessary to increase the level of security of VPN connections for remote and mobile employees of an enterprise. As a solution to the task, we used the two-factor authentication feature implemented using the Panda GateDefender UTM solution to protect the perimeter of the network.

More information about Panda GateDefender

You can also order a free version of Panda GateDefender for a period of 1 month by sending a request to sales@rus.pandasecurity.com.