S 2.415 Performing a VPN requirements analysis

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, IT Security Officer

A requirements analysis should be conducted before a VPN connection can be established between individual IT systems, different locations of an organisation, or to customers. The goal of the requirements analysis is to determine all operational scenarios which come into consideration for the specific case on the one hand and, on the other hand to derive the requirements for the hardware and software components required. Special requirements for the VPN architecture or VPN components may be discovered by setting up and simulating usage scenarios.

The following items must be taken into consideration within the framework of this requirements analysis, amongst other things:

• Specification of the business processes:
  
  Firstly, it must be clarified which business processes will use the virtual private network (VPN) and which information will be communicated using the network. The necessary requirements must be determined from the results and prioritised according to their importance to the company or government agency. It is also necessary to examine the applications supporting the business processes as well as the business processes themselves. Here, it is also necessary to document which applications are time-critical or bandwidth-intensive applications.
• Specification of the goals of application:
  
  There are many different usage scenarios for VPNs, for example for performing remote maintenance tasks, connecting individual employees, or connecting entire sites. For this reason, it is necessary to clarify which areas of application should be supported and which types of VPNs should be used for this purpose (e.g. site-to-site, end-to-end, or end-to-site VPNs).
• Specification of the users:
  
  It must be clarified which types of users will use the VPN, which authorisations they have, and which knowledge they must possess (such as field service employees, employees on business trips, employees at a branch office). It must also be clarified how these users will be securely identified and authenticated.
• Regulation of responsibilities:
  
  VPN components also need to be administrated and maintained by trained personnel. When performing a VPN requirements analysis, it is therefore necessary to specify who is responsible for the administration and operation of the VPN at both ends of the VPN. Furthermore, it must be clarified who should be informed when the VPN fails or when indications that a security incident has occurred are discovered. Technical personnel with the corresponding knowledge must be available to this end.
• Confidentiality and integrity:
  
  Depending on the protection requirements in terms of confidentiality and integrity, special requirements are often placed on the VPN that can generally be covered by additional security safeguards. In many cases, there are already organisation-wide regulations or policies that must be taken into consideration when purchasing and operating VPN components. In order to transmit information with high protection requirements in terms of confidentiality and/or integrity, it is recommended to use VPN components certified according to the Common Criteria (see also S 2.66 The importance of certification for procurement). Examples of certified VPN components include the products in the SINA (secure inter-network architecture) product family. In addition to dedicated encryption gateways (SINA box) to establish VPN connections, the SINA product family also contains user systems with integrated encryption functions (SINA client) as well as a management system.
• Availability:
  
  It is often desirable, especially when networking a single site, to be able to exchange information on the VPN at any time and with sufficient speed. If the applications affected have higher protection requirements in terms of availability, these must be taken into consideration in the requirements analysis. Higher requirements regarding the availability of a VPN cannot always be covered using technical security safeguards, because VPNs are often established using networks that are not under the control of the organisation and therefore on which the organisation has no influence.
• Restricting the networks:
  
  Using VPNs, it is possible to combine different networks to form a logical network through the use of a secure connection. Depending on the configuration, the VPN can allow all IT systems in a network to access all IT systems or only certain IT systems in the other networks. When performing the VPN requirements analysis, the organisation must decide which locations the VPN is allowed to be used to access which networks from and which IT systems are allowed to be accessed.
• Selecting the applications and protocols used:
  
  Different kinds of information can be sent and received over a VPN. For example, it is possible to send e-mails, copy files, or access a web server. In addition to these classic services, it is also usually possible to work on a terminal server or make telephone calls via VoIP. For this reason, it should be specified which applications may be used via a VPN and which may not be used. It is not only necessary to decide which applications are allowed to be used, but also the protocols with which the information is allowed to be transmitted. For example, an organisation may specify that network shares may only be integrated using SMB instead of NFS.
• Bandwidth and delay:
  
  A VPN allows access to applications in a remote network. Since VPN connections are often established using a WAN, special prerequisites must be taken into consideration for time-critical applications, particularly in terms of the available bandwidth and the delays during transmission. This affects accesses to terminal servers and telephony via VoIP, for example. The VPN requirements analysis should take into account the required bandwidths, the permissible delay, as well as additional quality features of the network, if necessary.
• Geographic restrictions:
  
  A VPN can be used by mobile employees to dial in to the LAN of the organisation from any location while on the road. If this is not desired, though, it should be specified where the LAN is allowed to be accessed from. This may also be achieved technically. For example, it is possible to only allow the IP addresses of one or more providers. In the case of a dial-up connection, it is possible to filter based on the country code. It must be noted, though, that these technical access restrictions are not absolutely reliable. In addition, corresponding organisational rules must be established for the users.

These aspects do not necessarily need to be examined generally for the entire organisation, but may also be applied individually to different locations or applications. In many cases, not every site will have the same priority, especially when several different locations are networked. Different requirements in terms of availability are placed on small sales offices when compared to the corporate headquarters, for example. Likewise, the requirements for end-to-end VPNs differ from those for site-to-site VPNs. One approach to a solution is to classify the various types of applications based on their bandwidth, availability, confidentiality, integrity, and quality of service (QoS) requirements, for example.

The results of the requirements analysis must be documented and coordinated with the technical personnel. The technical requirements and the security objectives formulated in the information security policy influence the design of the VPN (see S 2.416 Planning the use of VPNs and S 2.417 Planning the technical VPN implementation) as well as its implementation.

Review questions:

• Has it been specified which business processes and applications the particular VPN will be used for and which information is allowed to be communicated using the network?
• Has it been specified which types of users are allowed to use the corresponding VPN with which authorisations as well as what knowledge are required?
• Have suitable procedures for the identification and authentication for the use of every VPN been specified?
• Are the responsibilities and reporting paths for the operation and use of VPNs defined?
• Has it been specified for every VPN which networks are allowed to be accessed and from where?