Virtual Private Networks (VPN) the Insecure Solution

    December 16, 2003

Many organisations have deployed VPN’s as a quick win solution and have suffered as a result of not implementing a full solution. Trinity Security Services’ Consultants have worked with a wide array of customers to solve security issues as a result of hastily rolled out VPN solutions.

Probably the greatest risk to the implementation of VPN’s is the onslaught of cowboys jumping on the VPN band wagon. Many networking companies have branched out to include this type of encrypted VPN solution as a service with little understanding of the security implications. Although cowboys are able to implement a technology based solution they are unable to deliver what is required for a secure solution. Added to this is the fact that the technology portion of a security solution (hardware/software) is only 20% of the total solution. For example an organization has a VPN solution installed by cowboys at 12 o’clock, a vulnerability is release at 12:01 and a new patch is available by 12:05. This technology based solution is in-secure from day one the organization needs to have security mechanisms in place to ensure that they can maintain security. These mechanisms should be delivered as part of the overall solution.

So what are the security implications to your VPN solution if you only have 20% of the total solution?

Like all security solutions the 20% is nothing without the 80% soft security i.e. policies and procedures. A VPN implemented without policies and procedures will very soon become a non-secure solution. The last 18 months has proved this; the CODE RED attack would never have caused as much damage if the right policies and procedures were in place to ensure that systems were patched.

Time after time companies are victims of attacks not because they do not have the supporting mechanisms required to maintain the technologies they have in place.

An organisation should therefore not only look for a technically sound VPN solution meeting all business requirements but they should also look for a solution that delivers supporting policies and procedures.

The 80% (Policies & Procedures)

Out of 500 respondents of the recent InfoWorld Security Solutions Survey, only 3 percent reported that their companies have no formal security policies. How many could say the same about specific security policies for their VPN solution? A high level corporate policy will have little bearing on individual network solutions and therefore specific security policies and procedures must be delivered for each solution.

A VPN policy should discuss at a high level what an organization will and will not allow, this policy should be enforceable. Like any other security policy, a VPN policy is only effective if it is distributed to all users of the VPN for reading and signature. In addition, policies created for a VPN solution should feed into or reference other corporate security policies where appropriate. For example the VPN System Security Policy should reference the corporate Incident Response Procedure for matters of intrusion or incidence.

The following generic policies and procedures are recommended for a VPN solution: System Security Policy (SSP) is a policy document that covers (but is not limited to) the following areas:

  • The scope of the system (Network Diagram).
  • Information classification details of VPN traffic.
  • Minimum levels of security measures to be implemented.
  • Responsibilities for enforcing security measures.
  • Security Operating Procedures (SyOps) is a procedural document that covers the day to day operations of the VPN solution. It sets out activities such as how new VPN client account creation should take place and how new VPN connections should be configured.

    System Interconnection Security Policy (SISP) is a policy document detailing the security standard for interconnecting to other VPN sites not under the same SSP. The SISP is specific to the particular VPN connection and can be written as a standard or on a per connection basis. This document is especially important when using VPN’s for ebusiness.

    A VPN solution will also require updates to existing policies and procedures documents such as:

  • Firewall Policy & Procedures – allowing VPN traffic
  • IDS Policy & Procedures – removing signatures to reduce false positives from VPN traffic
  • Router Policy – allowing VPN traffic through screening routers
  • Internet Usage Policy – Adding remote client details
  • Other Security Considerations

    Another important consideration that must be built into every VPN solution is the security of the VPN client. The days when all devices and persons attached to the network sitting together in the same room have long gone, making maintenance of perimeter security a difficult task. Remote VPN users should be viewed as a network gateway and treated accordingly. The following features should therefore be available from the remote VPN Client:

  • Firewall capabilities to prevent the remote user from becoming a bridge between the Internet and the corporate network.
  • Capability to update VPN client policy remotely.
  • Capability to update OS (patches, new applications, virus software etc).
  • All remote VPN users should be forced to enter the corporate network before using any external resources such as e-mail or web browsing. In taking this approach, the various usage and security policies can be enforced upon all users.

    Whether the VPN solution is implemented by internal or external resources, there are certain supporting deliverables that should always be produced. These deliverables should provide information for auditing, troubleshooting, configuration management and other operational business functions. The following is a suggested guide to the deliverables required to support a VPN solution:

  • Low-Level Design – Showing network topology, addressing scheme, encryption scheme and all other non device specific technical information.
  • Build guides – Detailing each devices configuration, should include physical aspects (Location, serial numbers etc)
  • Roll out documentation – Procedures for addition of new VPN devices or clients.
  • A VPN Security Health Check for IT Managers

    Does your current VPN solution meet the minimum grade? Test it by answering the following 10 questions:

    1. Was the solution implemented in line with existing corporate security policies?

    2. Was Strong Authentication used for user authentication?

    3. Was a System Interconnection Security Policy supplied with the solution (SISP)

    4. Was a VPN System Security Policy (SSP) supplied?

    5. Were System Operating Procedures (SyOps) supplied?

    6. Was a Low Level Technical Design supplied?

    7. Was build guide documentation supplied?

    8. Was an Audit carried out upon the implemented solution?

    9. Does the VPN Gateway reside outside the corporate environment? (in a Firewall DMZ)

    10. Was VPN client security considered?

    If the answer is NO to any of these questions then a review of the Security aspects of the implemented VPN solution should be carried out.

    Final Checks

    The final check for your VPN solution should be a full audit to confirm compliance with all corporate policies and procedures. A penetration test can be used as a tool to confirm the technical aspects of compliance.

    Once compliance is achieved, the Security or IT Manager can accredit the system allowing the business to begin using the new solution. Regular internal audits and irregular external audits should take place to ensure continued compliance.


    If your organisations network is compromised due to poor VPN solution security, the costs could run into the 000’s with the initial ROI being wiped out in a single incident. Therefore it is business critical that the VPN solution is not seen as a technology based solution only but the wider security issues are considered. It’s the 80/20 rule; ensure your organisation is aiming for 100% security and not just the easy win 20%.

    Click here to sign up for FREE Tech. newsletters from iEntry!

    Trinity Security Services (Trinity) is a leading independent information
    security solutions and services provider. Customers include a range of FTSE
    250 customers across UK and Europe

    Trinity provides its customers with market leading expertise, delivering
    solutions ranging from the technical such as IDS, VPN and E-commerce, to
    strategic services including security policy and procedure development.