S 2.419 Selection of suitable VPN products

Initiation responsibility: Top Management

Implementation responsibility: IT Security Officer, Top Management

Companies and government agencies place a wide variety of different requirements on networks, for example that the network is required to connect different locations or connect mobile employees or telecommuters to the internal network. The requirements between different organisations vary correspondingly and must be taken into consideration when selecting VPN products. The results of safeguards S 3.65 Introduction to basic VPN terminology and S 2.416 Planning the use of VPNs must also be considered.

VPN products differ in terms of their scope of functions, security mechanisms offered, ease of use, and efficiency. In addition, they place different requirements on hardware and software components in the operational environment.

Before purchasing a VPN product, a list of requirements should be developed to help assess the products available on the market. A sound purchase decision can then be made based on the assessment.

If a service provider is contracted to provide a VPN, it is generally impossible to influence the way the products operated by the service provider are selected. Information on how to select VPN service providers can be found in S 2.420 Selecting a trusted VPN service provider.

A VPN usually consists of a combination of several hardware and software components. The components can be roughly categorised into two types of components: LAN components and client components. The specific components to be purchased depend on the VPN system architecture selected. In large organisations, several VPN connections are operated simultaneously for different purposes. Special IT systems (hardware and software) which have been specifically designed to be used as a VPN server are generally needed to achieve this.

Various manufacturers offer VPN components in the form of appliances. Appliances are preconfigured devices that are manufactured and configured for only one specific purpose (in this case: as VPN endpoints). Appliances often offer the advantage of simpler configuration in comparison to building a central VPN component from standard IT components that need to be configured accordingly (by the organisation itself or by a service provider). On the other hand, most of them have the disadvantage that the configuration is less flexible and there is less scope for tailoring to individual requirements.

The following basic security functions must be fulfilled when selecting VPN products:

• Identification, authentication, and authorisation:
  This includes mutual confirmation of the identification and authentication between systems, of systems for users, and of users for systems. It must be possible to assign different rights profiles to different user IDs. An adequately strong and accepted authentication procedure should be available. Remote accesses should be secured using strong authentication.
  It must also be possible to implement the access rights specified by the organisation in the VPN components.
• Quality of service (QoS):
  In the context of network gateways, the term quality of service is understood to refer to the monitoring and control of the communications allowed to pass through a security gateway. A suitable product must be able to fulfil all requirements defined when designing the VPN and allow the prioritisation of business-critical applications.
• Secure transmission:
  Functions securing the confidentiality and integrity of the data are used to secure transmissions. In addition, it is also necessary to guarantee the authenticity of the communication partner. In doing so, it is important for the product to offer secure and state-of-the-art cryptographic mechanisms (see S 2.164 Selection of a suitable cryptographic procedure). When planning and implementing the VPN, it is also necessary to consider integrating the VPN endpoints into a security gateway.
• Key management:
  Suitable functions must be available for key management to manage, distribute, and possibly even create secret and public keys for the cryptographic mechanisms. The products selected should be as flexible as possible and allow seamless integration into a wide variety of different technologies.

The following list provides an overview of possible general evaluation criteria, but it is by no means complete and additional general requirements can be added to it. In addition to the criteria listed in the overview, it is also necessary to develop other specific requirements resulting from the actual operational scenarios planned (see safeguard S 2.415 Performing a VPN requirements analysis).

General criteria

• Performance and scalability
  • Can the product meet the performance requirements?
  • Does the product offer functions for load distribution?
  • Can the products compress and decompress the information to be transmitted?
  • Will the product be able to handle a future need for growth (e.g. by means of a modular system design, easy integration of new VPN servers, common user administration system for all VPN accesses)?
• Maintainability
  • Is the product easy to maintain?
  • Does the manufacturer offer software updates regularly?
  • Is a maintenance contract offered for the product?
  • Can maximum response times for eliminating problems be specified within the framework of the maintenance contracts?
  • Does the manufacturer offer competent technical customer service (call centre, hotline) able to provide help immediately in case of problems?
• Reliability/failure safety
  • How reliable and fail-proof is the product?
  • Does the manufacturer also offer high-availability solutions?
  • Can the product be used in continuous operations?
• User-friendliness
  • Is the product easy to install, configure and use?
  • Does the product meet the currently valid ergonomics regulations?
  • Is the user interface, especially of the VPN client, designed in such a way that inexperienced users can also work with it without having to accept a reduction in the level of security (e.g. using context-sensitive help, online documentation, and detailed error messages)?
  • Can the use of the VPN clients be configured in such a way that the users are only burdened with as few technical details as possible? Is security guaranteed at all times in spite of this?

Functions

• Installation and initial operation
  • Is it possible to automate the installation of the VPN client software using predefined configuration parameters?
  • Is it also possible to install the VPN client software for less skilled employees?
  • Can important configuration parameters be protected against being changed by the users?
  • Does the product work together with common hardware and software (operating systems, expansion cards, and drivers)?
  • Is the VPN compatible with common system management systems?
• Response in the event of an error
  • Is VPN access security also guaranteed after a critical error?
  • Is it possible to configure how the system should respond in the event of a critical error? For example, is there an option for enabling an automatic restart or informing the administrator in case of a critical error?
• Administration
  • Does the documentation supplied with the product contain exact descriptions of all technical and administrative details?
  • Is there an intuitive graphical user interface for administration purposes? Is the administrative interface designed in such a way that it points out incorrect, insecure, or inconsistent configurations or prevents these?
  • Does the product also offer a command line-based interface in addition to a graphical administration interface?
  • Are the administrative functions protected by adequate access control mechanisms?
• Logging
  • Does the product offer suitable functions for logging?
  • Is it possible to configure the level of detail recorded in the logs and specify which types of events will be logged? Does the logging function record all relevant data?
  • Can the logged data be recorded in such a way that it is possible to summarise the data according to different categories (based on the connection, the user, the protocol, or the service offered)?
  • Is the logged data also equipped with access protection?
  • Can the logged data be stored on remote computers (central logging function) and not only locally? Are common procedures for storing the logged data remotely offered so that external systems can also be used for logging purposes (e.g. syslog)? Is it possible to transmit the logged data securely?
  • Does the product offer easy-to-use functions for the evaluation of the logged data?
  • Does the logging functionality work with the system management system used, especially in terms of transmission format and transmission protocol?
  • Does the product also offer the possibility of informing the administrator of certain events or of implementing suitable safeguards automatically? For example, it is often useful to lock a user account after detecting several failed attempts in a row by a user to provide authentication for the corresponding user account.
  • Can the logging functionality be adapted to the specific data protection laws applying to the organisation as well as to the data protection rules of the organisation itself?
• Communication and data transmission
  • Do the LAN components of the VPN product support all relevant network technologies (e.g. Ethernet, ATM)?
  • Do the WAN components of the VPN product support all access technologies planned (e.g. ISDN, mobile telephones, analogue telephone lines, X.25)?
  • Is the number of VPN clients that may simultaneously dial in to the VPN server sufficient?
  • Does the VPN product support the common protocols for remote access using telecommunication networks (e.g. PPP, SLIP)?
  • Does the VPN product support the common service protocols for remote access (e.g. TCP/IP)?
  • Are the common tunnel protocols (e.g. PPTP, L2F, IPSec, SSL) supported for internet-based access?
  • Does the VPN product offer additional, technology-dependent mechanisms (e.g. channel bundling for ISDN, an option allowing the VPN server to call the VPN client back) depending on the access technology used?
• Security: communication, authentication, and access
  • Does the product offer suitable functions for securing data transmissions?
  • Are communications secured using standardised mechanisms?
  • Are all cryptographic procedures used well-established and are they the state of the art in cryptography technology?
  • Does the product architecture allow for the subsequent installation of new security mechanisms?
  • Does the product offer suitable functions for user authentication before allowing the user to access local resources?
  • Is it possible to combine several different authentication mechanisms?
  • Is the system architecture designed in such a way that new authentication mechanisms can be integrated later on?
  • Does the VPN allow the use of one or more common external authentication services such as SecureID, TACACS+, or RADIUS?
  • Is it possible to integrate additional external authentication services?

Once all requirements on the product to be purchased have been documented, it is necessary to examine the products available on the market to determine the extent to which they fulfil these requirements. You cannot expect every product to fulfil all requirements at the same time or with the same quality. For this reason, the individual requirements should be weighted according to their relevance to the organisation. Similarly, it is also possible to divide the degree of fulfilment of a requirement by the particular product into several different levels. The product evaluation performed can then be used as the basis for making a sound purchase decision.

It is necessary to check before installation if the selected products actually meet the requirements adequately and are compatible with the technologies the organisation plans to use. The selection of the VPN devices is one of the most important aspects for the smooth operation of a VPN. It is therefore necessary to consider this decision carefully, because changes made later often result in high costs or the changes may even have a negative impact on security.

Review questions:

• Are the requirements of the organisations in terms of networking different locations and/or connecting mobile employees or telecommuters taken into consideration when selecting VPN products?