There are a variety of ways security teams can address this problem. However, the right solution must be unobtrusive to the external party and err on the side of availability since most external users are either sales personnel, executives or business partners that cannot be denied access.
Network segmentation is the first basic step to address the VPN issue. Properly segmenting your VPN network and the networks most typically accessed by users will give you the ability to contain outbreaks when they occur. Segmentation can be performed at the network, sub-network and host level. At the network level, teams can utilize their Firewalls and IPS devices to segment major portions of the network. However, perhaps more importantly security teams need to properly segment individual subnets and limit who can access these networks and hosts. This can be performed easily using Virtual LAN and Access Control Lists. Performing proper segmentation across all three levels will enable security teams to contain outbreaks, control which users can access critical hosts and provide the fundamental level of security around their VPN segments.
Intrusion Prevention Systems (IPS) are an extremely useful solution to the VPN outbreak problem. Since an IPS is an inline device with automated blocking functionality there is always risk of falsely denying access. However, a properly tuned IPS looking for a discrete set of known malware can be highly effective in preventing outbreaks behind the VPN. Security teams should deploy an IPS device behind any and all VPN devices. Once an outbreak occurs these teams should move quickly to update their IPSs with the new attack signature and turn the blocking mode on when the device encounters this new threat. Security teams should then monitor the activity on this device to ensure that all malicious traffic is blocked, while not denying legitimate traffic. Managing this IPS process effectively will result in far fewer internal outbreaks and consequently security team headaches.
New initiatives from leading network and security vendors hold the promise of easing the VPN outbreak burden in the future. Cisco's Network Access Control (NAC) is one such initiative. Essentially NAC will inform a Cisco router or VPN about the current state of the mobile user's security. Information such as patch levels and anti-virus signature updates are then used by the VPNs to determine whether or not this person is safe to enter your network. If they are not safe the device directs the user to an internal web page where they can download the latest patches or virus signatures. Other vendors are promising to deliver a similar set of functionality. These solutions should greatly help security teams control the number of outbreaks occurring through the VPN.