T 3.40 Inappropriate use of authentication services with VPNs

The identity of a VPN user who wants to dial in to a LAN over a remote access VPN must be determined while the connection is being established. Authentication mechanisms based on the authentication data stored in the user administration are usually used for this purpose. Virtual Private Networks (VPNs) usually offer several options for the storage of user data: separate user administration facilities, use of the user administration facilities of the operating system, use of authentication servers (with separate user administration). If different user administration systems are used for the VPN and the operating system, then the result could be inconsistencies in both databases due to organisational shortcomings, for example. This can then lead to unauthorised connections and unauthorised accesses to data.

Many VPN clients for remote access allow the data required for authentication to be stored locally after entering it the first time so that users do not need to re-enter the data every time they want to establish a connection. This, though, is a potentially serious threat if the VPN client is accessed without authorisation because the authentication mechanism will not be able to fulfil its function any more. Under certain circumstances, this could allow unauthorised persons to access local networks that are accessible from the corresponding client over a VPN connection. The security of this local network is therefore at risk.

Example:

• The user account in the VPN user administration of one organisation is not deleted when an employee leaves the organisation. The former employee is therefore still able to dial in over the VPN access point and access all generally accessible data. This access could also be used to carry out serious attacks.