T 5.93 Permitting use of VPN components by third parties

If unauthorised persons are allowed to use the components of a virtual private network (VPN), which means the current authorisation concept is violated, then it is impossible to guarantee the security of the VPN any more (see also T 3.30 Unauthorised private use of telecommuting workstations). The following threats are posed in this case, especially to remote access VPNs:

• VPN accesses can be used without authorisation if the security policies are not followed. For example, it happens again and again that administrators allow unauthorised persons to dial in to the VPN out of a false sense of friendliness (for example to use the Internet).

• VPN users provide authentication data or tokens to unauthorised third parties in order to grant them remote access to the LAN using their username and password. Possible reasons for this include, for example, passing such data or tokens to a colleague who is not authorised to use the VPN according to the VPN security concept or who has forgotten to submit a request to use the VPN before taking a business trip. The VPN user account is subsequently used by several different users, which means it will be impossible in the event of damage to clearly identify the user who caused the damage.

• There are often problems in the area of telecommuting when the VPN client is used by family members or friends of family members. People from outside the organisation who work with the VPN client generally do not follow the security regulations which apply to the VPN client. This can have a negative impact on the security of the LAN in the organisation.

It can never be ruled out that the IT systems located at a remote site will be used by people outside the organisation. Since such people also have physical access to the systems, it is possible that the systems have been manipulated. The security mechanisms could be bypassed in this manner.