T 3.42 Insecure configuration of the VPN clients for remote access

The security of a virtual private network (VPN) depends on the secure configuration of the VPN server and VPN clients as well as on the correct use of the security mechanisms offered.

When the full responsibility for configuring the server is placed on the administrator, the VPN clients will often be used outside of the government agency or company, especially if the VPN is a remote access VPN. This means the clients can only be loosely integrated into the administrative procedures. Users can also be granted certain administrative rights, especially when using mobile VPN clients, to eliminate VPN access problems by changing the VPN configuration parameters themselves or by following instructions provided over the telephone.

In general, the limited control capabilities of the system administration means there is a risk that the VPN clients are configured insecurely. Examples of this include:

• One problem is when users install unauthorised software on the VPN client, because the software may have security gaps or be infected with computer viruses or Trojan horses.
• The settings for the VPN access security mechanisms are often left unset or are set incorrectly by the user.

In general, it is possible to configure (client and/or server) a virtual private network (VPN) so that only weak security mechanisms are used or no security mechanisms at all are used. The mechanisms used for data encryption when establishing connections are negotiated dynamically between the client and the server when using IPSec or SSL, for example. When negotiating, the client provides the server with a list of supported methods, referred to as the cipher suites, for selection, and the server then selects a method from this list. The list of methods that can be used can be modified by changing the configuration accordingly. There is usually an option for "no encryption" available as well.

If the ability to establish unencrypted connections is not disabled when specifying the configuration, there is a general risk that the data will not be protected during transmission. This applies especially to VPN clients on which the users have the ability to adapt the configuration of the VPN to the local conditions in case of problems.

Example:

• One organisation specified that VPN communications should be secured using IPSec. The VPN server is set up so that users are queried if they want to use IPSec encryption but are not forced to use it. The VPN clients could therefore establish potentially insecure connections. One VPN user did not want to accept the loss in performance on his rather old laptop resulting from the use of encryption. For this reason, he disabled the IPSec encryption option. The VPN connection was established without the use of encryption after that.