T 2.129 Lack of, or insufficient, rules for the use of VPNs

The computers and networks connected by virtual private networks (VPN) cannot be considered trustworthy in general. This applies especially when the computers and networks connected are external computers and networks that are not administrated by the organisation itself. Extranet VPNs, for example, fall into this category. In this case, the organisation's own network is connected to the networks of other companies, taking into account functional restrictions and security requirements. For companies and government agencies, extensive damage may occur when security gaps in an external network have an impact on the organisation's own network via the VPN.

Extranet VPNs are often used in the automobile industry and/or in industries requiring intensive cooperation between manufacturers and suppliers.

The following security problems, amongst other things, may arise due to a lack of or inadequate rules for the use of VPNs:

• A VPN should not be allowed to "grow organically". The implementation of VPN accesses needs to be planned accordingly instead. Experience has shown that complex hardware and software scenarios may arise that are difficult to administrate, especially when continually expanding VPN access. This may lead to the selection of incorrect security settings that are mutually incompatible or cancel each other out.

• Without a comprehensive and binding security concept, it is generally up to each of the administrators and VPN users to specify the security settings, which they will then do as they see fit. This may lead to unsuitable security settings that can prevent connections from being established or permit the establishment of insecure connections, for example. This may have an impact on the security of the LAN, because in many cases the IT systems connected to a VPN have the same access capabilities as IT systems located directly in the LAN.

• The security of a VPN is based on the interaction of the physical components (computers, network switching elements), the structure of their connections (network separation, connection topology), and the configurations of the corresponding software components. However, the rules specified within the framework of the VPN security concept and their implementation using the corresponding configuration settings can only provide the desired security when the system actually installed is compatible with the system planned. Frequently, though, it becomes necessary to subsequently change the physical structure, for example due to a lack of detailed information during the planning phase. If the changes are not recorded, documented, and their impact on information security analysed, the security of the computers and networks connected to it may be at risk.

• VPN users are generally on their own when using the VPN. If there are no dedicated rules for using the VPN or the users are unaware of these rules, it is possible for users to unintentionally create security gaps.

• If legal data protection requirements are not followed properly when transmitting personal data between the components of the VPN, the organisation may be in violation of the data protection laws. Certain security safeguards may also be required by legal regulations for other data as well.

Examples:

• Due to a lack of rules regulating the use of the VPN, one supplier was granted wide-ranging access authorisations to the network and therefore access to confidential documents of a manufacturer. This became public and resulted in significant financial damage to the manufacturer.
• A semiconductor manufacturer is connected to its suppliers by an extranet VPN. Due to a lack of virus protection measures by one of the suppliers, malware infected the local corporate network of the semiconductor manufacturer through the VPN and triggered numerous incidents.
• The administrator of the VPN of a government agency only allowed connections encrypted using the triple-DES encryption method, but one user did not configure any encryption for her VPN client. Due to incompatible security settings, it was impossible to open a connection.
• An additional, small ISDN system was installed in one company while configuring the VPN to compensate for unfavourable cable routes. Since this additional device was not planned for accordingly, the organisation forgot to take it into account in the VPN security concept. As a result, it was possible, for example, to access a remote maintenance access point secured with a default password for a long time when a VPN connection was established.