S 4.321 Secure operation of a VPN

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Due to the data transmitted using VPNs, they are attractive targets for attackers and therefore need to be operated securely. Prerequisites for secure operation include the secure installation (S 4.319 Secure installation of VPN devices) and configuration of the hardware and software components involved (S 4.320 Secure configuration of a VPN). In addition, all organisational procedures must have been defined and implemented (e.g. reporting paths and responsibilities). The recommendations provided in safeguard S 2.418 Drawing up a security policy for the use of VPNs must be taken into consideration to this end.

More and more frequently, it is necessary that the VPN connections of organisations are continuously ready for operation in a stable manner. Many organisations require them to be available around the clock (24/7 operation). To ensure smooth VPN operations, it is therefore necessary to create an operating concept and develop a corresponding contingency concept as well (see S 6.109 Business continuity plan for the failure of a VPN). The following aspects must be taken into account in particular when drawing up an operating concept.

Monitoring

In this case, monitoring is understood in the sense of quality management. This means the quality of service provided by a VPN must be monitored continuously. The data obtained should be consolidated in management reports and submitted regularly (monthly or quarterly, for example) to the IT management. The parameters measured are used to continuously fine-tune the quality of service and distribution of the bandwidth in the VPN. This way, it is possible to detect bottlenecks as well as software or hardware problems early. Here, it is also necessary to consider whether the VPN availability must be secured using corresponding SLAs (service level agreements) or OLAs (operational level agreements). In addition to the regular reports, it is also necessary to immediately report any irregularities that suddenly appear so that the problems can be eliminated promptly.

Monitoring concept

In contrast to monitoring the quality of service as mentioned above, the monitoring concept attaches importance to the security of the VPN. The logged data recorded must be checked, evaluated, and archived (if necessary for legal reasons) according to the security policy (e.g. in terms of access restrictions).

The information gained within the framework of monitoring should be checked regularly by a knowledgeable administrator. The best possible results are obtained through the use of additional software specifically designed for the evaluation of logged data. It is important to ensure that the regulations of the data protection laws are complied with (see also S 2.110 Data protection guidelines for logging procedures).

Alarming

An alarm concept must ensure that the persons in charge are informed immediately when a critical situation is discovered. In such a situation, the safeguards specified in advance must be taken and the incident must be documented accordingly (see module S 1.8 Handling security incidents). To eliminate failures, the business continuity concept created with the help of S 6.109 Business continuity plan for the failure of a VPN can subsequently be applied.

Maintenance

Maintenance work should not be performed on a VPN while it is in operation, meaning as long as users are able to access it. Employees always need to proceed with caution when performing maintenance work. In order to perform maintenance work or make changes to the systems, it is necessary to specify the corresponding responsibilities in advance.

Maintenance windows must be defined for maintenance tasks and changes, and the corresponding workflows must be planned. The type, scope, time, and duration of the maintenance work must be announced promptly together with the services that will be affected by the work. After completing the maintenance or making a change, the modifications made must be documented and checked.

Authorisation for remote access VPNs

A common feature of remote access VPNs is that it is not only necessary for just a few VPN users to dial in to the VPN, but a large number. In general, these are users whose passwords may change regularly.

In order to make proper user authentication (e.g. via RADIUS, TACACS, TACACS+) possible for remote access, it is necessary to ensure the consistency of the authentication data. This can be achieved through central administration of the data (authentication server) or by synchronising the data periodically.

Connecting to remote access VPNs using dial-in lines

Depending on which type of VPN is used, users may also be able to dial in using data networks or dial-up connections such as ISDN or GSM. The following special precautions must be taken for dial-up connections:

• User authentication must be performed every time a user attempts to establish a connection using the selected mechanism. In particular, the use of the CLIP (calling line identification protocol) mechanism alone is inadequate for authentication purposes.
• The communication sent via every connection should be secured using one of the procedures permitted in the VPN security concept so that the data transmitted is adequately protected.
• The additional security mechanisms (use of calling line identification protocol, callback to a default telephone number for stationary VPN clients or VPN clients connected using mobile telephones) provided by the access technology should be used.

• A portable IT system can be connected to a LAN via a wireless network such as GSM (see also S 5.81 Secure transmission of data over mobile phones). When using VPNs over mobile telephone networks, it must be noted that the CLIP mechanism is generally only suitable for use as an additional authentication feature, because it is very easy to steal the mobile telephones identified by their telephone numbers.
• The recommendations in module S 4.6 Wireless LAN also must be taken into consideration when dialling in using a wireless LAN.

Training and awareness-raising measures

The users of a VPN must be trained in the use of the security mechanisms of the VPN. For this, they should first be provided with an overview of the typical threats to VPNs and of the corresponding safeguards. However, the administrators and members of the incident handling team must also be adequately familiarised with the use of the security solutions offered by the VPNs. General information on this topic can be found in S 2.198 Making staff aware of information security issues.

Clients for remote access VPNs

It is frequently desired to allow individual users to dial in to the LAN of a company or government agency using an insecure network. Examples of this include telecommuters or users who dial in using a public wireless LAN or from a mobile telephone. Standard IT systems on which an application for dialling in to a remote access VPN has been installed are typically used for this purpose.

Since VPN clients for remote access are often operated in incompletely controlled environments, in this case it is necessary to use special mechanisms, procedures, and safeguards to guarantee the client is protected. Mobile VPN clients in particular are exposed to special risks, because they are easy to attack physically (e.g. theft or manipulation). If a VPN client is compromised, there is a risk that the security of the LAN could be adversely affected by the compromised client.

For this reason, the following aspects must also be taken into consideration for the secure operation of mobile VPN clients in addition to the recommendations in safeguard S 5.122 Secure connection of laptops to local networks:

• The basic security of the mobile IT systems must be guaranteed (see also modules S 3.3 Laptops, S 4.3 Modem, S 3.4 Mobile Telephones, and S 5.8 Telecommuting).

• Since mobile VPN clients are exposed to greater risk than stationary VPN clients, the mobile VPN clients should be protected by additional safeguards. Hard drive encryption is a possibility in this case to ensure that data cannot be read and unauthorised VPN connections cannot be established from devices that have been lost or stolen.

• It is necessary to install anti-virus programs on all RAS clients, especially when access to the VPN is obtained using an Internet connection (see also module S 1.6 Protection against malware).

• Mobile VPN clients must also be included in the system management to the extent that this is possible. On the one hand, this allows the clients to be monitored in the context of maintaining ongoing operations. On the other hand, it is possible in this case to install software updates (virus databases, application programs) easily and in a controlled manner. Remote computers, though, place higher requirements on the system management, because they are not permanently connected to the network, which means the computers must be examined regularly for (unauthorised) configuration changes.
  
  It must be noted in this case that recording this information places a load on the VPN client and the data needs to be transmitted over the VPN connection. VPN connections with less bandwidth (as is the case with connections established using mobile phones) may lead to unacceptably long response times for the user.

Communication connections

For the secure operation of a VPN, it is necessary to encrypt all data transmitted. Furthermore, it must be possible to determine the authenticity and integrity of the transmitted data beyond any doubt. This can be guaranteed using the methods described in safeguard S 5.148 Secure connection of an external network with OpenVPN or in safeguard S 5.149 Secure connection of an external network with IPSec, for example.

Trusted VPNs

VPNs are seldom operated using network infrastructures under the organisation's own control. In many cases, VPNs are used to establish a secure connection using external networks like the Internet or a dedicated line from a third party provider. In the latter case in particular, it is necessary to monitor the connection in general, to monitor the quality of the connection, and to monitor the maintenance of the security aspects specified during the selection process (see S 2.420 Selecting a trusted VPN service provider).

Review questions:

• For high availability: Is there an operating concept for securing VPN operations?
• Has it been ensured that defects in the quality of the VPN connections are detected early?
• Is the logged data generated examined regularly and evaluated by competent personnel?
• Are the data protection laws adhered to when monitoring the VPNs?
• Have systematic procedures been specified for maintenance, changes, and audits of VPN components?
• Has it been specified how errors and incidents on the VPN will be handled?
• Has it been ensured that the persons in charge are informed immediately in the event of critical situations when using the VPN?
• Have the VPN users and administrators received enough training and have they been made aware of the relevant VPN security aspects?