Security recommendations

Assumptions

To maintain a proper security level, the operating conditions and usages listed below must be observed.

Profile and responsibilities of administrators

The system and network administrator as well as the security administrator, respectively tasked with installing the software and defining the VPN security policies, are nonhostile. They are trained to carry out the tasks for which they are responsible and follow administrative manuals and procedures.

The security administrator regularly ensures that the product’s configuration is in line with the one that he or she has set up and performs the necessary updates when necessary.

The product’s logging function is enabled and properly configured. Administrators are responsible for regularly reviewing the logs.

Profile and responsibilities of users

Users of the software are nonhostile and have been properly trained on how to use it. More specifically, users execute the tasks for which they are responsible to ensure proper operation of the product and do not reveal the information used for their authentication with the VPN gateway.

Compliance with management rules for cryptographic elements

Bi-keys and certificates used to open the VPN tunnel are generated by a trustworthy certificate authority that guarantees compliance with management rules for these cryptographic elements and, more specifically, with the specifications laid out by your local cybersecurity agency, e.g. [RGS_B1] and [RGS_B2] in France (only available in French).

User workstation

The machine on which SN VPN Client Exclusive is installed and run must be clean and properly administered. More specifically:

• Antivirus software must be installed, and its signature database must be updated on a regular basis.

• It must be protected by a firewall that controls (partitions or filters) the workstation’s inbound and outbound communications that do not go through the VPN Client.

• Its operating system is up to date with the various security patches.

• Its configuration is such that it is protected against local attacks (memory forensics, patch, or binary corruption).

Configuration recommendations to strengthen the workstation are available on the ANSSI website (in French), such as the following (the list is non-exhaustive):

• Computer health guide (Guide d’hygiène informatique, document only available in French)

• Configuration guide (Guide de configuration, document only available in French)

• Password (Mot de passe, document only available in French)

VPN Client administration

SN VPN Client Exclusive is designed to be installed and configured with “administrator” privileges and then to be used with “user” privileges only.

We recommend that you protect access to the VPN configuration with a password and restrict the software’s visibility to end users (default behavior of SN VPN Client Exclusive) as detailed in section Restricting access to the Configuration Panel.

We recommend that you enable the hash integrity check for the VPN configuration file using the MSI property SIGNFILE set to 1 when installing the software (see MSI SIGNFILE property in the “Deployment Guide”). When the property is not specified during installation, its default value is 0 (disabled).

The software must therefore be run as administrator to be able to access the Configuration Panel.

We recommend keeping the Start VPN Client after Windows Logon mode enabled, which is the default mode upon installation.

Lastly, please note that SN VPN Client Exclusive will apply the same VPN configuration to all users of a multiple-user workstation. We therefore recommend running the software on a dedicated workstation (for instance by keeping an administrator account and a user account, as mentioned above).

VPN Configuration

Sensitive information in the VPN configuration

We recommend that you do not store any sensitive data in the VPN configuration file.

In this regard, we recommend that you do not use the following features of the software:

• Do not use the EAP (password/login) mode alone, but only in combination with a certificate.

• If EAP is used, do not store the EAP login name/password in the VPN configuration (function described in section Authentication),

• Do not import any certificates to the VPN configuration (function described in section Importing a certificate to the VPN configuration) and preferably use certificates stored on removable devices (tokens) or in the Windows Certificate Store,

• Do not use the “Preshared key” mode (function described in section IKE Auth: Authentication) and preferably use the “Certificate” mode with certificates stored on removable media (tokens) or in the Windows Certificate Store.,

• Do not export the VPN configuration without encrypting it, i.e. not password-protected (function described in section Exporting a VPN configuration).

User authentication

The user authentication functions available in SN VPN Client Exclusive are described below, from the weakest to the strongest.

It should be noted that preshared key authentication, despite being easy to implement, enables any user of the workstation to establish a VPN tunnel without cross-checking their authentication.

Type of user authentication	Strength
Preshared key	Weak
EAP
EAP popup
Certificate stored in the VPN configuration
Certificate in the Windows Certificate Store
Certificate on a smart card or token	Strong

VPN gateway authentication

We recommend that you implement a check on the VPN gateway certificate as described in section PKI Options.

We recommend that you do not configure the VPN Client to validate certificates that do not comply with the constraints on the Extended Key Usage and Key Usage extensions (do not use dynamic parameters allow_server_and_client_auth and allow_server_extra_keyusage).

Protocol

We recommend that you only configure IPsec/IKEv2 tunnels (and no SSL/OpenVPN tunnels).

“All through the tunnel” and “split tunneling” modes

We recommend that you configure the VPN tunnel using the “All traffic through the tunnel” mode and enable the “Disable Split Tunneling” mode.

Refer to the sections Configuring the address type and Miscellaneous.

GINA mode

We recommended that you choose a strong authentication method for all tunnels configured in GINA mode.

ANSSI recommendations

The recommendations described above can be complemented by French National Cybersecurity Agency’s (ANSSI) IPsec configuration document: Recommendations for securing IPsec networks.