S 6.109 Business continuity plan for the failure of a VPN

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The failure of a VPN could have serious consequences depending on the availability requirements. In order to avoid damage and/or to minimise the resulting damage, the availability requirements determined while defining the VPN system architecture must be taken into consideration. A VPN business continuity concept is used as a guide for an acute damage event (e.g. physical destruction, unauthorised access) and is intended to help the organisation maintain an overview of the safeguards to be taken in an emergency.

Contingency planning for VPNs must be integrated into the existing business continuity management system (see also module S 1.3 Business continuity management). Procedures and definitions of initial measures must be defined for a quick transition to normal operations.

Individual VPN business continuity concepts must be drawn up which reflect the specific conditions in the organisation based on the prioritisation of the locations, business processes, and/or organisational units. The following aspects must be taken into consideration when drawing up a business continuity concept for a VPN:

• Which incidents, direct damage, and consequential damage will result if a VPN connection actually fails?
• Which VPN connections must be highly available?
• How quickly is it possible to detect the failure of a VPN?
• Can errors in the telecommunication network used for the connection be quickly recognised as such? Are the errors reported to the administrator responsible (for example in case of connection problems, problems with caller ID features, or problems with the circuits of certain user groups)?
• How quickly can VPN connections be restored for each of the various failure scenarios (replacement of devices, booting up the system)?
• Which component failures must lead to a shutdown of the VPN even though it is still technically possible to establish VPN connections (e.g. when the logging function, communication encryption component, or the authentication server fails)?
• Are adequately qualified personnel available for the administration of the VPN in an emergency?

Suitable procedures should be developed for individual damage scenarios in the form of business continuity documentation. This documentation should contain all data needed to handle and overcome an emergency and presented in such a way that even substitutes are able to work with it. The business continuity documentation should also contain information on alternative connection routes, for example on alternative telecommunications providers or alternative transmission media.

People responsible in an emergency

Key personnel positions must be defined and documented together with their tasks and authorities. The recommendations provided in safeguard S 6.59 Specification of responsibilities for dealing with security incidents also must be taken into consideration in this case.

Setting up emergency numbers

An emergency number should be offered for employees, and especially for the mobile employees and telecommuters, so that they can report VPN problems promptly to the persons in charge. In addition, the VPN should be permanently monitored during critical periods (during office hours or times in which data is primarily exchanged via VPN, for example).

Redundant communication links

Increased requirements for the availability may arise depending on the priorities of the locations and their business-critical applications. If the availability requirements are high, secondary connections should be available in case of an incident. The secondary connection is only used in case of an incident and can be implemented using a DSL or ISDN connection, for example. Safeguard S 6.18 Provision of redundant lines offers additional information on proper implementation.

Redundant VPN components

Depending on the availability requirements of the corresponding location, the failure of a VPN component could result in more or less serious problems. Corresponding redundancy must be available when high requirements are placed on the availability of the VPN. This redundancy can be implemented corresponding to the requirements using the following mechanisms, for example:

• clustering (using several networked components to increase availability),
• hot standby (provision of initialised backup equipment) or cold standby (provision of backup equipment that is shut down).

It should be examined whether a redundant design is necessary, especially for central VPN components such as the VPN server in the context of a remote access VPN, for example.

Information is generally transmitted in encrypted form in VPNs. For this reason, it is necessary to ensure that the corresponding replacement keys are available for encryption and/or new keys must be generated. This aspect must be taken into account in key management.

There are many possible sources of error in a VPN, and implementation of safeguard S 6.53 Redundant arrangement of network components can help to provide additional reliability.

Development of a post-incident recovery plan

A recovery plan must be developed for every VPN operated in order to guarantee the quickest possible recovery of operations. The steps necessary must be specified and documented in the recovery plan. To ensure smooth operations when replacing defective VPN components, there must be a current backup available of the corresponding configuration data. Safeguard S 6.52 Regular backup of configuration data of active network components contains more information in this regard. It is also necessary to guarantee data consistency when recovering operations (see S 1.4 Development of a data backup plan).

Checking data integrity after incidents

During a crash of one or several VPN components or when another incident occurs on the VPN, it may not always be possible to guarantee the consistency of the data transmitted using the VPN. For this reason, the integrity of this data should be checked and the problem analysed after every incident to keep the problems from repeating.

Business continuity configuration

It may be necessary in certain situations to operate the VPN with restricted functionality or performance. In this case, a corresponding business continuity configuration must be enabled (see also S 4.320 Secure configuration of a VPN). The business continuity configuration serves to maintain the security of the VPN (system access security, data access security, communication security) even when operations are limited. For this, it is necessary to specify which VPN business continuity configuration will be selected in which situations in advance depending on the priorities assigned to the locations, business processes, and/or organisational units.

Performance of emergency drills

The best recovery plan is useless if it is not feasible in practice. It is therefore particularly important to conduct regular emergency drills in order to recognise and improve any weaknesses (see also S 6.12 Emergency preparedness exercises). The availability of audit-proof logs of the VPN recovery process must be guaranteed. The operability of all replacement VPN components, data backup devices, backup data media, and secondary cables used for the alternative communication connections must be checked at regular intervals. The people responsible will benefit from the training and awareness-raising measures and will be able to react quickly and efficiently in the event of a real emergency.

The VPN business continuity concept must be adapted to reflect the specific situation in the organisation and be designed in such a way that critical business processes will be available again within the time required. The VPN business continuity concept must be written in such a way that it can be carried out by third party experts. The VPN business continuity concept must always be kept up to date based on consistent technical, organisational, and personnel changes.

Review questions:

• Is there a current business continuity concept for the failure of a VPN?
• Have the availability requirements placed on the various VPN connections been specified?
• Has it been defined and documented who will perform which tasks and with which authorisations for the VPN operation in an emergency?
• Is there an emergency number available for employees for reporting problems with the VPN?
• Are the technical redundancies provided adequate for the availability requirements specified for VPN operations?
• Are enough qualified personnel available for the restoration of the VPN in an emergency?
• Have the steps to follow to restart the VPN been specified and documented?
• Is there a current backup copy of the configuration data?
• Are VPN emergency drills performed regularly?
• Are the data backups checked regularly to ensure they can be used to restore the corresponding data?