S 2.416 Planning the use of VPNs

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, IT Security Officer

Since the configuration of a VPN is such a complex task, a structured approach is necessary. For this reason, carefully planning is absolutely required before introducing a VPN in an organisation. This step is taken immediately after performing the requirements analysis (see S 2.415 Performing a VPN requirements analysis) and should be based on the knowledge gained from the analysis.

The following illustrates the most important questions that need to be answered within the framework of an organisational concept. Depending on the specific situation, additional rules will naturally have to be established and adapted specifically to the particular situation.

• The responsibilities (for installation, administration, examination, and monitoring) for the particular VPN should be specified. Depending on the organisational structure, it may be necessary to expand the responsibilities of the existing roles or create new roles (see also S 2.1 Specification of responsibilities and provisions).

• It must be specified how and by whom the user accounts and the access authorisations will be managed and administered (authorisation concept). A supplier connected via an extranet will need different access rights than a connected branch office.
  
  It is recommendable to define different user groups with different authorisations for VPN access. The individual users should be assigned to the groups using a corresponding requirements profile specifying the prerequisites a user needs to fulfil in order to become a member of a group. Possible prerequisites include the purpose of access (e.g. telecommuting, field service tasks, maintenance work), verification of specific knowledge (e.g. participation in training), and the permission of the superiors. How granting permission to use remote access will be regulated must be decided within the organisation itself. In many cases, there are already similar regulations, for example for obtaining permission to access the internet, and these can then be adapted accordingly.
  
  The granted system and data access authorisations must be documented and this documentation must be updated in the event of changes.

• For fixed remote locations (such as telecommuter workplaces), it is necessary to specify the requirements describing which demands (in terms of security and technical equipment, for example) must be met by the remote workplaces so that permission can be granted for VPN connections from these workplaces into the LAN of the organisation. The concept could provide for the initial examination and the periodically repeated examinations of the rooms and technology installed there and regulate how and by whom these examinations will be conducted.
  
  The operation sites of VPN clients are seldom under the control of the LAN operator and therefore have an especially high potential for risk. In comparison to stationary clients, mobile clients are subject to additional threats. Not every location that fulfils the technical prerequisites for establishing VPN connections is actually suitable for this purpose. For this reason, rules must be established specifying which locations VPN connections to the destination LAN are allowed to be established from. Depending on the operational scenario planned, it may make more sense to keep a negative list of particularly unsuitable locations. This list could include locations such as hotel foyers, hotel business centres, or public transportation.

• If the security of a VPN access point is violated, the entire LAN could be compromised as a result under certain circumstances. For this reason, procedures must be specified for VPN administration that describe the change process for changes to the VPN configuration (example: request change, examination of the planned configuration, execution, examination of the change made).

• Another important point when designing the VPN is the basic question of whether or not the VPN needs to be implemented and operated by the organisation itself or if the implementation and/or operation should be outsourced instead. Many service providers are highly competent and have years of experience in the planning, configuration, and operation of VPNs. However, it is not always advantageous or desired to hand over the entire operation of a VPN to a service provider. When a VPN is outsourced, the requirements in module S 1.11 Outsourcing must be taken into account.
• The protection requirements of the VPN must be determined. They are derived from the protection requirements of the information transmitted using the network as well as the IT components connected to the network. It is also necessary in this regard to determine the impact of the unavailability of the system and the length of the downtimes considered acceptable.
  
  The requirements placed on the VPN security mechanisms (e.g. authentication and ensuring data integrity) must be defined. It must be examined in this context if the use of strong encryption procedures is legal at all locations connected to the VPN.

• If external suppliers or customers are connected to the VPN, different security zones must be defined. Only those access actually needed by the users should be permitted from inside the security zones.

• To prevent misuse, the rights and duties of the VPN users must be defined in the VPN security policy. The VPN users must also make a binding promise to follow the security regulations.

• Since special security risks are posed by the normally insecure environment of a VPN client when accessing a LAN remotely, every VPN user should receive special training. On the one hand, this training should make users aware of the specific VPN threats and, on the other hand, train them in the handling of the technical devices and software. If authentication tokens will be used, the users also need to be informed on how to handle them properly.
  
  Likewise, the administrators must also be thoroughly trained on the products used and the VPN security risks and the corresponding security safeguards must be explained to them.
• The administrators must not only have enough time available to operate the VPN, but also need time to search for information on current VPN security gaps, to design safeguards to increase the level of information security when operating the VPN, and to become familiar with new components.

The VPN plan must be submitted to management for approval. All decisions must be documented comprehensibly.

Review questions:

• Have the responsibilities for operating the VPN been defined?
• Has it been specified how and by whom the user accounts and the access authorisations for VPN operations will be managed and administrated?
• Are the protection requirements in terms of confidentiality, integrity, and availability known for every VPN?
• Have all VPN users been trained adequately with respect to VPN usage and obliged to follow the security policies?
• Have the access capabilities to be granted to external VPN users been specified?
• Have the system and data access authorisations granted been documented and adapted in the event of changes?
• Have the requirements for VPN access to be met by remote workplaces been defined?
• Has a change management system been set up for the VPN?