S 4.320 Secure configuration of a VPN
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
All VPN components must be configured carefully since an unsuitable configuration of one of the VPN components may lead to a loss of the availability of the network or parts thereof. This may lead to a loss of the confidentiality of the information or to a loss of data integrity. Regardless of whether the VPN components come in the form of dedicated hardware (appliances) or software-based systems, the correct configuration of the components involved plays a decisive role. Since a VPN consists of several components and their configurations, the overall configuration becomes more complex. Changing a configuration parameter on just one component, but not on the other ones, may therefore lead to security gaps, malfunctions, and/or failures regarding the interaction with the other components.
Since the configuration of a VPN system is generally subject to change (due to changes in personnel, new usage scenarios, or expansions of the system, for example), it cannot be assumed that there is exactly one secure (and static) configuration that only needs to be set up once and then never changed again. On the contrary; the configuration is usually subject to constant change. It is the task of the administrators responsible for the VPN to define only secure versions of the system configuration and to ensure the system configuration is always transferred from one secure state to the next secure state. All changes and the respective current settings must be documented comprehensibly.
Basic settings
The basic settings performed by the manufacturer or distributor of a VPN component are not necessarily optimised in terms of security, but are usually optimised for easy installation and initial operation. For this reason, the first step when specifying the basic configuration is to examine the current basic settings and to adapt these to reflect the corresponding specifications in the security policy. The administrator must always replace the default passwords with sufficiently complex passwords.
Server configuration
The secure configuration of the VPN server software requires that the security settings offered by the software and reasonable in the current operational scenario be enabled and can be used. The use of certain security settings will require other components of the VPN to have corresponding functions and/or to be configured accordingly. When using the calling line identification protocol (CLIP), for example, it must be ensured that this protocol is also enabled for the selected connection. In order for users to provide identification using X.509 certificates to gain access to the VPN using the internet, the VPN must know where the user certificates are stored.
This means the VPN software must either provide support for external authentication servers or offer its own certificate administration.
For this reason, it should be examined in advance whether all security mechanisms offered can actually be used or whether additional hardware or software will be needed to this end. It is necessary to check the settings regularly for correctness during live operations.
Client configuration
The requirements for the secure configuration of the VPN client software are similar to the requirements for the server software. In order for the client and server to communicate in a secure manner, it must be ensured that the components involved are configured consistently (for example regarding the procedures used to secure communications).
In addition, it must be ensured that the passwords required for VPN access are not saved anywhere by the software even though most software offers such an option. If storing the passwords cannot be prevented technically, all users must be informed that they are not allowed to save their passwords. They should also be informed of the security problems encountered when passwords are saved.
Setting up standardised IT systems
The secure and consistent configuration of the client and server can be supported by specifying a default configuration (hardware and software) for the VPN clients in the VPN concept and implementing it everywhere using organisational safeguards. The result is that there will only be a fixed number of different client configurations in use at any given time.
Setting up access networks
In addition to the configuration of the VPN, the separation of the network into subnetworks can also be used to control access. It may therefore be useful for information security reasons to set up special networks known as access networks (see also S 5.77 Establishment of subnetworks).
Routing settings
The flow of traffic over the network should be controlled restrictively using the routing settings of the network switching elements used by the VPN system. State-of-the-art network switching elements allow packets to be forwarded selectively within allowed network connections (packet filter functions). This way, it is possible to ensure that only requests to connect to the HTTP service on a server will be forwarded.
Only authorised users should be allowed to access the VPN clients. It is important to restrict access to the VPN, especially in the case of portable computers. Otherwise it could be possible for unauthorised persons to dial in to the VPN if the portable computer is stolen. The users therefore need to abide strictly by the rules specified (e.g. in terms of secure authentication and protection against theft, see also module S 3.3 Laptops).
Mobile VPN clients should be configured in such a way that once the VPN client software has been started, all data traffic only passes through the VPN connection .
Data connections bypassing the VPN connection and connecting to other networks must be prevented. Many VPN client products offer corresponding settings for this functionality.
Access authorizations
It must be ensured that any test access points and user IDs which are not needed (for example after the test runs performed during installation) are removed. Furthermore, the access rights granted must be checked regularly, on the one hand to ensure all functionality required can be used, and to prevent the access rights granted from being misused on the other hand.
Remote access
Active network components generally offer remote access capabilities for maintenance reasons. Remote accesses for administration should only be permitted if it is guaranteed that user names and passwords are not transmitted as plain text (as is the case with Telnet, for example). If it is possible to specify the configuration locally, local configuration should be preferred and the remote access functionality disabled.
Login banners
The login messages displayed by VPN components often contain relatively detailed information. Such login messages may contain information that a potential attacker may use to his/her advantage (for example the model or version number and software version number). If possible, the default login message should be replaced by a modified version that does not contain this information any more. The model and version numbers of the device and the version number of the operating system should not be displayed in the login banner under any circumstances for security reasons.
Interfaces
Unused interfaces on VPN components are often enabled by default. It is therefore necessary to disable these interfaces in the course of initial installation and configuration in order to reduce the number of possible points of attack.
Logs
VPN components generally offer logging capabilities and these should always be enabled and configured carefully. Evaluation of this information allows you to evaluate the devices to ensure they are operating properly and detect any attempted attacks. With the help of the logged information, it is often possible to determine the type of attack attempted and to modify the configuration accordingly. The configuration of the logging function must be specified carefully, because it is only possible to extract the relevant data from the mass of information generated when appropriate filters are used.
In addition to ensuring suitable storage of the logged information, it is also necessary to ensure the data obtained is examined as promptly as possible (see S 4.321 Secure operation of a VPN). The corresponding data protection laws must be followed in all cases.
Documentation
The settings of the VPN components to be checked within the framework of the basic configuration process should be documented, as well as whether they were changed, and if so, how they were changed. The documentation must be developed in such a way that someone other than the actual administrator who does not have any previous knowledge of the system will be able to understand what has been done in the event of an emergency. In the case of a failure, it should be possible to restore the system with the help of the system documentation only. The procedure explained in safeguard S 4.78 Careful modifications of configurations should be followed in this case.
Location-based authentication
It is not only possible in a site-to-site or end-to-site VPN to perform authentication based on the users, but also based on the location. It must be possible to guarantee that each site can be uniquely identified. This assumes that the government agency and/or company already has an organisation-wide, central location administration. The VPN simply builds upon this administration. Safeguard S 4.113 Use of an authentication server for remote access VPNs contains more information on using remote access points to the internal network of an organisation.
Change management
Changes to the VPN system configuration should be required to run through an organisational process that ensures the VPN can only be enabled using tested configurations. All changes should be documented and approved.
Note: Adding or deleting VPN user IDs generally does not require any changes to the VPN system configuration, because these changes are often made using the user administration of the operating system or an authentication server (e.g. RADIUS, TACACS+).
Regular examination of the VPN configuration
The configurations of all VPN components should be examined regularly. When examining the configurations, it must be ensured that all specifications in the VPN security policy have been implemented and that the settings do not open up any security vulnerabilities.
The VPN configuration is the actual implementation of the VPN security policy. All security requirements specified in the VPN security policy must be implemented accordingly. The topics listed here should be worked out in more detail, expanded, and adapted during the VPN system planning and VPN operation phases. Generally, the configuration of the components involved always depends on the local conditions and requirements. It is impossible to provide generally applicable instructions, because the components involved must be examined in the specific context of the organisation.
Review questions:
- Have the basic settings of all VPN components been checked and adapted accordingly to reflect the specifications of the security policy?
- Have the default passwords of all VPN components been replaced by user-defined and sufficiently complex passwords?
- Have the security mechanisms offered by the VPN server that are useful in the current operational scenario also been enabled and put into use?
- Are the security settings of the VPN server checked regularly for correctness?
- Has it been ensured that the VPN server and VPN clients were configured consistently?
- Has it been ensured technically or organisationally that the user passwords for VPN access are not stored anywhere?
- Have the routing settings for the network switching elements used by the VPN been configured restrictively?
- Have all mobile VPN clients been configured in such a way that all data traffic is transported only via the VPN connection?
- Have any existing test access points and test accounts on the VPN components been deleted?
- If remote access is necessary for administration purposes: Has it been ensured that the user names and passwords are not transmitted as plain text?
- If the login message can be customised: Has the login message been defined in such a way that the model and version numbers of the device and the version of the operating system are not displayed?
- Have all unused interfaces on the VPN components been disabled?
- Is the logging functionality enabled in the VPN and suitably configured?
- Has the VPN system documentation been designed in such a way that third parties with the proper expertise are able to rebuild the system in the event of an emergency?
- Are all changes to the VPN configuration approved, verified, and documented?