Protecting your Enterprise assets behind a virtual private network.
It’s 2021, and most people are aware of the rampant cyber attacks occurring around the world. There seems to be far more media coverage on the operations that are taking place, and news outlets excel at spreading panic. Even worse, is how quick they latch on to a perpetrator such as, “CCP sponsored”, or “Russian hackers”. This narrative makes cyber attacks seem like only well funded adversaries are able to carry them out. More damaging is the fact that state sponsored criminals aren’t the only ones capable of performing large scale hacks. Instead, financially motivated hackers reap the benefit from operating in the shadows. Also recent ransomware payments demonstrate that companies will shell out cash for their computer systems back.
So what happens when the lucrative targets are depleted, and there’s only mom and pop shops left to invade? Hopefully those businesses used this time to strengthen their network and trained their employees to spot a phishing email.
I found that protecting your infrastructure and internal assets behind a VPN is a great start, so I wanted to explain how easy it can be done. It can be achieved without fancy network hardware, due to the inexpensive options that cloud computing offers. This guide uses Amazon Web Services (AWS) as the cloud provider, and has a monthly fee of $22, or $144/year.
Not only does this establish a perimeter defense of your company network, but it’s a secure method to enable remote working. A VPN connection grants access to the servers running on that local area network. Since there’s no way to directly access them from the internet.
The infrastructure required for the VPN server was a licenses to OpenVPN, and a dedicated server with an internet connection. This server acts as the authentication to the corporate network, as an active account to that OpenVPN is required.
This public facing website “mitchelllabenski.com” hosts the VPN server. Once logged in through a VPN client, you’re internet traffic will be sent to this server; and then routed from there. This is known as a full tunnel, because all traffic is sent to the server. While a split-tunnel would intercept only the traffic sent to that network.
Now that we’re inside the local area network, there is a direct connection to the corporate server’s discussed earlier. For example, a web server that hosts a wikipedia/knowledge base for company information, or an email server. Since these server’s have no public facing IP; it’s not possible to route my laptop to it.
This shows the private server in my AWS dashboard. It’s running at a LAN IP of 10.0.9.100. To the left of that shows a Access Control List (ACL) that accepts connections only from the CIDR range of 10.0.9.0/24. Luckily, our VPN server runs on the local IP of 10.0.9.6, and is therefore inside that CIDR range.
Connecting to that server
In conclusion, this demonstrates how simple network segmentation can be. Any WordPress vulnerability cannot be exploited by someone without access to that VPN server. It builds a second layer of defense, because a hacker would first require credentials to the VPN; or direct access to an employees laptop; before they can establish a connection to the internal network. This was achieved through AWS with a $12 monthly fee.