T 3.41 Improper use of VPN services

Security problems can arise when using a VPN or in the environment of the VPN, for example violations of the security policies or faulty configurations related to security, due to the lack of knowledge or (usually unintentional) user errors. This risk is particularly high if the users have not been trained adequately.

In many cases, stationary and mobile IT systems on which VPN client software is installed are not only used to access a LAN. The Internet and e-mail are also often used over these IT systems, especially if the VPN connection was established over the Internet. In some cases, external networks are accessed, for example when field service employees open special connections to customer networks using mobile VPN clients. This can result in the following security problems:

• Attempts to establish unauthorised connections place an unnecessary load on the system because an authorisation check needs to be performed for every connection. This then consumes system resources. In combination with faulty configurations, this can lead to successful attempts to gain unauthorised access.

• VPN clients can be used to access the Internet, among other uses. If connections to the Internet are allowed without special security precautions, it may be possible under some circumstances to access the client computer from outside. An attacker could then attempt to disable data encryption or change the VPN configuration data so that VPN communications are not secure any more, for example. In this case, any software downloaded from the Internet and stored on the VPN client could contain malicious code such as viruses or Trojan horses.

• External LANs such as customer networks or private home networks are often connected to other networks such as the Internet as well. When a VPN client then logs in to such network, uncontrolled access to the VPN client may be possible depending on the security policies of the LAN administration (see also T 5.39 Infiltrating computer systems via communication cards).

Example:

• While on a business trip, an employee connected to the corporate network over the Internet. Before opening the VPN connection, he downloaded an executable file from a web server. In addition to its "official" functionality, the file also contained a malicious program routine that attempted to influence the security mechanisms of the VPN configuration (for example by disabling encryption). As a result, unauthorised persons can access data in the corporate network if they are able to open a VPN connection.