S 4.4 VPN
Description
The increasing level of networking of computers and computer clusters has changed the way government agencies and companies communicate. Nowadays, communication networks are used to search for information, to perform tasks more efficiently, and above all, increasingly as a universal medium for transporting data. With the help of virtual private networks (VPNs), it is possible to implement security safeguards to transmit data requiring protection using untrustworthy networks like the internet.
In previous editions of the IT-Grundschutz Catalogues, module S 4.4 dealt with the subject of remote access. The present module contains recommendations for site-to-site, end-to-end, and end-to-site VPN applications. The standard security safeguards required for remote access are included in this module under the heading "Remote Access VPNs (End-to-Site VPNs)" below.
A virtual private network (VPN) is a network that is physically operated within another network, for example the internet, but is logically separated from this network. VPNs can protect the integrity and confidentiality of data with the help of cryptographic procedures. This also makes secure authentication possible for the communication partners even if several networks or computers are connected using leased lines or public networks.
VPNs are basically divided into the following types or combinations of these types:
- Site-to-site VPN: In this case, two computer networks are connected using a VPN, for example to allow the branch offices of an organisation to connect securely.
- End-to-end VPN: In this type of VPN, the VPN is established between two devices. If two servers are connected using a VPN, this connection is also often referred to as a host-to-host connection.
- End-to-site VPN (or Remote Access VPN): In this case, a VPN is established between a device and a network. This type of VPN is usually used when a mobile user wants to use his/her laptop to access the LAN of his/her organisation via a VPN dial-up node. This type of the access is also referred to as remote access.
Site-to-site VPNs are used to network the decentralised LANs of several branch offices of a company or government agency. Business partners or customers can access a central IT system of the organisation using an end-to-end VPN. A remote access VPN allows the employees to dial in to the LAN of the company and/or government agency from outside
Threat scenario
The present module addresses the threats applying to the use of VPNs. Such threats include organisational shortcomings such as inadequate planning, but also human error (e.g. due to poor administration). In addition, VPNs are permanently exposed to threats, because internal data is transmitted using untrustworthy networks.
The following typical threats to IT-Grundschutz when using a VPN are assumed to exist:
Force Majeure
| T 1.2 | Failure of the IT system |
Organisational Shortcomings
| T 2.2 | Insufficient knowledge of rules and procedures |
| T 2.16 | Non-regulated change of users in the case of laptop PCs |
| T 2.19 | Inadequate key management for encryption |
| T 2.22 | Lack of or insufficient evaluation of auditing data |
| T 2.24 | Loss of confidentiality of sensitive data of the network to be protected |
| T 2.37 | Uncontrolled usage of communications lines |
| T 2.87 | Use of insecure protocols in public networks |
| T 2.128 | Lack of, or inadequate, planning of the use of VPNs |
| T 2.129 | Lack of, or insufficient, rules for the use of VPNs |
| T 2.130 | Inappropriate selection of VPN encryption methods |
| T 2.131 | Inadequate monitoring of VPNs |
Human Error
| T 3.16 | Incorrect administration of site and data access rights |
| T 3.40 | Inappropriate use of authentication services with VPNs |
| T 3.41 | Improper use of VPN services |
| T 3.42 | Insecure configuration of the VPN clients for remote access |
| T 3.43 | Inappropriate handling of passwords |
| T 3.44 | Carelessness in handling information |
| T 3.90 | Incorrect administration of VPNs |
| T 3.91 | Failure of the VPN connections due to operating errors |
Technical Failure
| T 4.35 | Insecure cryptographic algorithms |
| T 4.57 | Interferences relating to the use of VoIP over VPNs |
| T 4.69 | Problems with the IPSec configuration |
| T 4.70 | Insecure default settings on VPN components |
Deliberate Acts
| T 5.22 | Theft of a mobile IT system |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.92 | Use of the VPN client as a VPN server |
| T 5.93 | Permitting use of VPN components by third parties |
Method recommendation
In order to secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
A series of safeguards must be implemented to successfully design and implement a VPN system, starting with the requirements analysis, the planning phase, the design phase, the installation phase, and continuing through to the secure operation phase. It is especially important to perform the corresponding business continuity planning to guarantee fast recovery of the communication connection in the event of an error.
The following lists the necessary safeguards for proper introduction of a VPN as well as for its secure operation:
Planning the use of VPNs
If the decision to use a VPN for certain connections has been made, it is necessary to plan and design its structure. At the same time, different types of VPNs can be used within one organisation. The first step is always to specify the necessary requirements regarding such a system (see S 2.415 Performing a VPN requirements analysis). An organisation should only start drawing up a corresponding concept (S 2.416 Planning the use of VPNs and S 2.417 Planning the technical VPN implementation) after the requirements have been clearly defined.
Particular attention must be paid to the definition of the organisation's VPN security policy, which needs to be coordinated with the general information security policy. The aspects to be taken into consideration when defining the VPN security policy can be found in safeguard S 2.418 Drawing up a security policy for the use of VPNs.
Purchasing
The suitable selection of a VPN product is the decisive factor in an organisation's ability to implement the requirements planned accordingly. For this reason, the recommendations provided in S 2.419 Selection of suitable VPN products must be taken into consideration when selecting the VPN components. If an external service provider is contracted to provide a VPN, the aspects presented in S 2.420 Selecting a trusted VPN service provider must be taken into consideration.
Implementation
The organisation can start with the installation of the VPN after completing the preliminary organisational and planning work. In particular, safeguard S 4.319 Secure installation of VPN devices must be taken into consideration. Once the basic installation has been performed, it is necessary to transfer the system to a secure operating state so that it can subsequently be put into live operation (see S 4.320 Secure configuration of a VPN). In order to adequately protect the VPN endpoints, they need to be integrated into the security infrastructure according to S 4.224 Integration of VPN components into a security gateway.
Operation
The security of the VPN must be permanently guaranteed, even during live operation. The recommendations regarding this are summarised in safeguard S 4.321 Secure operation of a VPN.
Disposal
VPN access points that have been forgotten and the access points for partners with which the organisation no longer has a cooperation agreement open up unnecessary security gaps and must be blocked as quickly as possible. The recommendations contained in S 4.322 Blocking unneeded VPN accounts must be taken into consideration for this.
Contingency Planning
Depending on the availability requirements, a disruption of the operation of the VPN may result in more or less severe problems. A corresponding business continuity concept must be developed to counteract the possibility of disruptions to operation. The recommendations required for this are described in S 6.109 Business continuity plan for the failure of a VPN.
The bundle of security safeguards for VPNs is presented in the following.
Planning and design
| S 2.415 | (A) | Performing a VPN requirements analysis |
| S 2.416 | (A) | Planning the use of VPNs |
| S 2.417 | (B) | Planning the technical VPN implementation |
| S 2.418 | (A) | Drawing up a security policy for the use of VPNs |
| S 3.65 | (W) | Introduction to basic VPN terminology |
| S 4.113 | (Z) | Use of an authentication server for remote access VPNs |
| S 5.76 | (W) | Use of suitable tunnel protocols for VPN communication |
| S 5.77 | (Z) | Establishment of subnetworks |
Purchasing
| S 2.419 | (C) | Selection of suitable VPN products |
| S 2.420 | (C) | Selecting a trusted VPN service provider |
Implementation
| S 4.224 | (Z) | Integration of VPN components into a security gateway |
| S 4.319 | (A) | Secure installation of VPN devices |
| S 4.320 | (A) | Secure configuration of a VPN |
| S 5.122 | (A) | Secure connection of laptops to local networks |
| S 5.148 | (C) | Secure connection of an external network with OpenVPN |
| S 5.149 | (C) | Secure connection of an external network with IPSec |
Operation
| S 4.321 | (A) | Secure operation of a VPN |
Disposal
| S 4.322 | (B) | Blocking unneeded VPN accounts |
Contingency Planning
| S 6.109 | (A) | Business continuity plan for the failure of a VPN |