S 2.418 Drawing up a security policy for the use of VPNs

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator, IT Security Officer

Suitable security policies must be established for the use of VPN components in government agencies and companies. These VPN-specific security policies must conform to the general security concept and the general security policies of the organisation. They must be checked regularly to ensure they are up to date and modified if necessary. The VPN-specific rules can be added to the existing guidelines or can be collected in a separate guideline. A VPN security policy should contain the following aspects, amongst other things:

• It should describe who is permitted to install, configure, and use VPN components in the organisation. For this, numerous general conditions must be specified, for example:
  • which information may be transmitted using VPNs,
  • where the VPN components are allowed to be used, and
  • which other internal or external networks or IT systems are allowed to be accessed using a VPN.
• Security safeguards and a standard configuration must be specified for all VPN components.

• All VPN users should be instructed to inform the person responsible for security when security problems are suspected so that this person can take additional steps (see also M M.8 Handling of security incidents).

• The administrators as well as the users of VPN components should be informed and/or receive training on the VPN threats and the corresponding security safeguards to follow.

The correct implementation of the security safeguards described in the VPN security policy should be checked regularly.

User guidelines for VPN usage

To prevent overloading users with too many details, it may make sense to create a separate VPN user guideline in the form of an instruction sheet, for example. In this case, the user guideline should contain short descriptions of the special aspects related to VPN usage, for example:

• which other internal and external networks or IT systems the VPN client is allowed to connect to,
• under which general conditions clients are permitted to log in to an internal or external VPN,
• what steps must be taken if it is suspected that a VPN client has been compromised, and in particular, who needs to be informed in this case.

Users should be made aware that VPNs are only allowed to be established from suitable locations and only using the IT components allowed for this purpose by the organisation. Depending on where the VPN is used, unsuitable locations could include hotel foyers, hotel business centres, or means of public transportation, but IT systems administered by outsiders could also be unsuitable (see S 4.251 Working with external IT systems). It is also important to clearly describe how to handle security solutions on the clients. This includes, for example, rules stating that

• no security-related configurations must be changed,
• passwords must not be saved on the client unless they are saved using a password storage tool that has been approved for use by the organisation (see S 4.306 Handling of password storage tools),
• a virus scanner must always be activated,
• an existing personal firewall must not be disabled (see also S 5.91 Use of personal firewalls for clients ),
• the configuration of the VPN clients must only be changed by the administrators appointed for this purpose and not by the users, and
• all shared directories or services must be deactivated or at least protected by good passwords.

In addition, the user guideline should contain information on which data may be used and transmitted in the VPN and which data may not. This especially includes how to handle classified information such as classified material. Users should be sensitised to VPN threats and be familiar with the contents and consequences of the VPN guideline.

Guidelines for administrators of a VPN

In addition, VPN-specific guidelines for administrators should be created which can be used as the basis for training the administrators. It should specify who is responsible for the administration of the various VPN components, which interfaces are available between the administrators responsible for operations, and when which information must flow between the persons in charge. It is common for one organisational unit to be responsible for the operation of the server components while a different organisational unit is responsible for supporting VPN clients or for identity and authorisation management. The VPN guidelines for administrators should also contain the essential, core aspects of the operation of a VPN infrastructure, for example:

• specification of a secure VPN configuration and definition of secure standard configurations,
• suitable administration of all VPN components,
• selection and configuration of cryptographic methods including key management,
• regular assessment of log files, at least on the servers,
• initial operation of replacement systems,
• safeguards when the VPN has been compromised.

All VPN users, both general users and administrators, should confirm with their signature that they have read the contents of the VPN security policy and will follow the instructions defined in the security policy. No one should be allowed to use the VPN without this written confirmation. The signed declarations should be kept in a suitable location, for example in the personnel file.

Review questions:

• Is there an up-to-date VPN security policy?
• Does every VPN user have a copy of the VPN guidelines or an instruction sheet with an overview of the most important security mechanisms?
• Is the security policy for VPN usage explained to the users as part of the training measures on security safeguards?