T 2.131 Inadequate monitoring of VPNs

A virtual private network (VPN) is a potential target of attacks, whether to use the network without authorisation, to listen in on its communication, or disrupt its availability (DoS attacks). Such attacks may result in serious incidents both in the infrastructure connected to the VPN and in all applications connected to it.

If a VPN and its components are not monitored adequately, it is difficult or even impossible to detect attacks promptly. The longer a potential attacker is able to access a VPN without being detected, the greater the risk to the company or the government agency that confidential data will be read, for example. Logging functions are usually used to counteract such risks. However, the fact that the logged data does not provide for any additional security unless it is evaluated is not taken into account in many cases.

Example:

• An attacker bypassed the authentication mechanism of a corporate VPN using a brute-force attack. The attack was only logged on the VPN gateway. However, since the responsible administrator only checks the logs sporadically due to her high workload, the attack is not detected promptly. The attacker may therefore access both the internal network of the company and the networks of suppliers connected to the gateway for a long period of time.