As a supplier of both hardware, the CloudVPN router, and a cloud solution, the CloudVPN Portal, it is our responsibility to give our customers the knowledge and tools to help them make the best decisions to keep their installations secure. This article will give insight into the most important security-related aspects of CloudVPN’s products and can be used to harden your CloudVPN environment against cybercrime.
Please use the links below for easy navigation.
- The CloudVPN Portal
- The CloudVPN router
The CloudVPN Portal
The CloudVPN Portal is used to gain access to your machines and their data. You can log in from any device that has access to the Internet, including mobile phones, tablets and laptops. Within the CloudVPN Portal, there are several important aspects to consider.
Your CloudVPN Portal account is used to authenticate yourself to our systems. In the first place, you use a username (i.e. an email address) and a password to log in. It is crucial that you choose a password that is hard to guess, long and unique. Generally speaking, to be safe you need a password that is at least 12-15 characters long. See how to register with a password or how to change the password of an existing account.
Besides a strong password, it is recommended to enable two-factor authentication (2FA). This means that you not only need a username and password to log in, but also a one-time code that can be generated with a specific mobile phone. See how to set up 2FA for your account and how to enforce 2FA for all users in your company for additional details.
Every time you log in the CloudVPN Portal, you request a temporary Access Token, which can be used for up to one week, meaning you do not need to enter your credentials every time you access the CloudVPN Portal on the same device. It is good policy to regularly sanitise which Access Tokens are active for your account. You can do this through the following steps:
- Go to the CloudVPN Portal if you're not already there.
- Click on your account name, then [My profile].
- Go to [Login and security] and choose which sign in you would like to remove.
- Click on more options then [Remove] to remove that access token.
Rights and permissions
Every user within your company has a specific set of permissions governing what they can and cannot do. You should strive to always ensure users only have the permissions they need to do their job (a.k.a. the principle of least privileges). See how to configure roles and permissions for existing users for more information. When inviting new users to your company, take a moment to consider the implications of giving people too many permissions; They might have access to confidential information or they might (accidentally) remove users, devices or services. See how to invite users with a specific set of permissions for more information.
The CloudVPN router
The CloudVPN router is the edge hardware most compatible with the CloudVPN Portal. It has a built-in firewall separating your machine components from your corporate network. This separation ensures maximum security as machine components can not interfere with corporate assets, and vice versa. Even outdated software (i.e. Windows XP) can still be used safely, as long as it is insulated by the CloudVPN router’s firewall.
The CloudVPN router needs to be allowed access to the CloudVPN Portal to set up its connections needed for remote access, Cloud Logging, etc. Because opening incoming ports is inherently dangerous and error-prone, we have designed the CloudVPN router to only need outgoing port 443 to function properly. If this port is open, the CloudVPN router will attempt to contact CloudVPN Portal servers for HTTPS, MQTT (over TLS) and VPN traffic. If opening port 443 is too permissive for your local IT department, it is also possible to whitelist specific CloudVPN domain names in your local firewall. More information can be found here.
CloudVPN router firewall
As a router, the CloudVPN router has many options relating to network traffic and firewall, it is important that you are aware of the security implications of these. By default, the CloudVPN router’s firewall is configured to be as strict as possible, but it is possible to allow access to the Internet or to the corporate network. The CloudVPN router also contains a web interface, which can be used to locally configure the router’s network settings. Note that it is good policy to change the default password to a unique strong password.
The CloudVPN router receives multiple new firmware versions every year, and while most of these do not contain security updates, some of them contain software updates or changes to encryption. Upgrading your installation to the latest version is trivial to maintain the security of your CloudVPN environment. During the upgrade, the router may reboot or briefly lose network connectivity and therefore we cannot automatically upgrade CloudVPN routers.
Keeping your installations secure is our number one priority, and therefore we think it imperative to share our knowledge on how to harden your CloudVPN environment. In the end, every case is different, but everyone must be aware about the control they have to minimize the cybersecurity risks.