T 4.70 Insecure default settings on VPN components

The standard settings of VPN components do not always exhibit the characteristics of a secure installation. In many cases, the manufacturers pay more attention to user-friendliness and problem-free integration into existing systems than to security. Poor adaptation to the actual security requirements can thus lead to avoidable vulnerabilities, and therefore expose critical points of attack.

Since the encryption of a VPN channel, when used correctly, can only be cracked after expending considerable effort, the VPN end points are a simple starting point for breaking in to a network. To prepare for an attack, an attacker would first obtain all information available on the VPN. There are special tools available in the Internet that make it easier to perform such analyses.

Example:

• A newly purchased VPN gateway was integrated into the internal network of one company by the administrator. Since it immediately provided its services after booting using the default settings, the administrator did not change any of the default settings. However, the product also permitted remote administration by default, and the default password for remote administration was well known. Because so many users already knew the default password, its use threatened the secure operation of the internal site network.