T 2.128 Lack of, or inadequate, planning of the use of VPNs

If a virtual private network (VPN) is not planned and designed carefully, individual security gaps in the VPN could impair the security of all IT systems networked over the VPN. This could even result in the compromising of the government agency's or company's network connected to the inadequately secured VPN.

A number of problems may arise from a lack of or inadequate planning of VPN usage:

• If an unsuitable encryption algorithm is selected for the VPN connection, attackers or competitors could gain access to business-critical information of an organisation under some circumstances.
• Approval is required regarding the use of strong cryptographic procedures in certain countries. Using strong cryptographic procedures without approval may have legal consequences.
• Internet-based VPNs cannot guarantee a certain transmission time. This may cause problems with time-critical applications (in the case of real-time machine control commands, for example).
• 'If the required bandwidth is estimated incorrectly during the planning phase, the transmission capacity of the VPN may be inadequate, for example. This may limit or even prevent the use of applications which need the VPN channel.
• It may be impossible under certain circumstances to expand the VPN when the planning and design phases of the VPN did not take possible extensions into account.
• Complications may arise when integrating the VPN endpoints into existing security gateways. Such complications are often due to the complexity of the settings required on the security gateway.