S 2.417 Planning the technical VPN implementation

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, IT Security Officer

In addition to the organisational and personnel planning addressed in S 2.416 Planning the use of VPNs, the introduction of a VPN also requires decisions on a series of technical aspects. These decisions must be made before procurement and form the foundation for the subsequent VPN implementation. During the technical planning phase, all general conditions arising from the current technical situation must be taken into account in order to avoid incompatibilities.

The following illustrates the most important questions that need to be answered within the framework of the technical concept. Depending on the specific situation, additional rules will naturally have to be established and adapted specifically to the particular situation.

• It should be described how the VPN will be implemented technically by the hardware and software components. The components are only defined in terms of their function. During a subsequent analysis of the existing system components and the new components available for purchase on the market, the elements of the concept can be associated with actual devices and software products (see S 2.419 Selection of suitable VPN products).
• All potential VPN endpoints allowing users to dial in to the LAN and the access protocols used for this purpose must be described.
• All VPN access points to the local network must be documented within the framework of the security concept, and it is also necessary to describe how these access points will be connected to the LAN (see also module S 3.1 Security gateway (firewall)). The security concept must analyse which subnetworks are accessible when using VPN access based on the current network structure. Consideration should be given to forming dedicated access networks so that access to the productive network is only possible in a controlled manner (using routers, packet filters, or internal firewalls). The formation of access networks requires additional hardware and software to be purchased and maintained (see also S 5.77 Establishment of subnetworks).
• All services and protocols that will be allowed to be used for VPN access as well as the resources that can be accessed through them must be documented. The selection depends on the applications which will be used. For time-critical data traffic, it may be necessary to implement QoS (Quality of Service), MPLS (Multi Protocol Label Switching), or dedicated lines.

• Suitable encryption procedures for the protection of the data must be specified. The following encryption procedures are relevant, amongst others:
• • Tunneling
    Communication can be encrypted in a lower layer of the protocol (referred to as tunnelling, see S 5.76 Use a suitable tunnel protocols for VPN communication). A suitable method must be selected for this purpose. Conventional VPNs provide such procedures by default, although the procedures available vary greatly in terms of their number and type.
  • TLS/SSL encryption
    TLS/SSL can also be used for encryption if encryption cannot be used in a lower protocol layer for certain reasons. This applies especially to web server or e-mail server accesses through browser, as they support communication secured using TLS/SSL by default. In this case, safeguard S 5.66 Use of TLS/SSL should also be taken into account.
  • Encryption using network switching elements
    In addition to securing communications using software, consideration could also be given to using encrypting network switching elements (routers, modems). This especially makes sense for stationary use and to connect several computers since encryption is performed in a separate device and does not place a load on the end systems. It must be noted, though, that the network switching elements must be configured and maintained with great care. Encryption is also necessary to protect the data when using a direct dial-in procedure, for example over analogue telephone networks or ISDN connections.
• Safeguard S 3.65 Introduction to basic VPN terminology presents the various types of VPNs. It is necessary to decide which type of VPN will be implemented based on the requirements.
• The organisation must decide whether or not the connection will be implemented using a dedicated carrier line. This decision generally has a significant impact on the cost.
• Suitable monitoring systems should also be planned to be able to guarantee stable operations and continuous improvement. The knowledge gained from the monitoring systems is essential to fine tune VPN operations (see S 4.321 Secure operation of a VPN).

The VPN plan must be submitted to management for approval.

Review questions:

• Is the technical implementation of the VPN documented?
• Has the encryption procedure to be used in the VPN been specified?
• Have the requirements for the carrier network been specified?
• Were the VPN endpoints and the access protocols allowed specified?
• Were the services, protocols, and resources allowed to be used over the corresponding VPN defined?
• Has it been specified which subnetworks are accessible through the VPN?
• Has it been specified how the VPN will be monitored?