NET.3.3 VPN
Virtual Private Networks (VPNs) can be used to transmit sensitive data over untrusted networks such as the Internet. A VPN is a virtual network that is operated within another network but is logically separated from it...
Description
Introduction
Virtual Private Networks (VPNs) can be used to transmit sensitive data over untrusted networks such as the Internet. A VPN is a virtual network that is operated within another network but is logically separated from it. The VPN uses the network merely as a transport medium but is itself independent of the structure and setup of the network used. VPNs can use cryptographic methods to protect the integrity and confidentiality of data. VPNs also enable secure authentication of communication endpoints even when multiple networks or IT systems are connected to each other via leased lines or public networks.
Objective
The building block defines requirements with which a VPN can be purposefully and securely planned, implemented, and operated.
Scope and Modeling
The present building block is to be applied for every access option to the institution’s network via a VPN endpoint.
The building block does not address fundamentals for secure networks and their construction (see NET.1.1 Network Architecture and Design). Nor does this building block cover all processes associated with VPN operations. VPNs SHOULD generally be taken into account within the building blocks ORP.4 Identity and Access Management, OPS.1.1.3 Patch and Change Management, OPS.1.2.5 Remote Maintenance, OPS.1.1.2 Proper IT Administration, and CON.1 Cryptographic Concept.
Recommendations on how to configure the operating systems of VPN endpoints are likewise not part of this building block. Corresponding requirements are found in building block SYS.1.1 General Server or SYS.2.1 General Client as well as in the respective operating system-specific building blocks of the IT-Grundschutz Compendium.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block NET.3.3 VPN.
Missing or Insufficient Planning of VPN Deployment
In a VPN that is not carefully planned, built, or configured, security vulnerabilities can arise that could affect all IT systems connected to the VPN. This could enable attackers to access the institution’s confidential information.
For example, insufficient VPN planning may result in users not being properly trained. As a result, they could use the VPN in an insecure environment or connect from insecure clients. This could potentially enable attackers to access the entire institution’s network.
Also, if regular monitoring of VPN access is insufficiently planned, attacks may not be detected in time. This means it is not possible to respond promptly, and attackers can undetectably steal data or sabotage entire processes.
Insecure VPN Service Providers
If an institution has not carefully selected its VPN service providers, this could render the institution’s entire network insecure. For example, a VPN access insecurely offered by the service providers could be used for attacks to steal targeted information.
Insecure Configuration of VPN Clients for Remote Access
If a VPN client is not securely configured, users could use its security mechanisms incorrectly or not at all. They may also change the configuration of the VPN client. An insecure configuration can also allow software installed by users to compromise the security of the VPN client.
Insecure Default Settings on VPN Components
In the default configuration, VPN components are usually preconfigured without or with only insufficient security mechanisms. Often more attention is paid to ease of use and seamless integration into existing IT systems than to security. If VPN components are not adapted—or only inadequately adapted—to the institution’s concrete security needs, vulnerabilities and thus dangerous attack points can arise. If factory-set passwords are not changed, for example, the entire VPN and thus the institution’s internal network could be attacked.
Requirements
The following are the specific requirements of building block NET.3.3 VPN. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. They SHOULD be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | None |
Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled with priority for this building block.
NET.3.3.A1 Planning of VPN Deployment (B)
The introduction of a VPN MUST be carefully planned. The responsibilities for VPN operations MUST be defined. User groups and their authorizations MUST also be planned for the VPN. Likewise, it MUST be defined how granted, changed, or revoked access authorizations are to be documented.
NET.3.3.A2 Selection of VPN Service Providers (B)
If VPN service providers are used, Service Level Agreements (SLAs) MUST be negotiated with them and documented in writing. It MUST be regularly checked whether the VPN service providers are adhering to the agreed SLAs.
NET.3.3.A3 Secure Installation of VPN Endpoints (B)
If an appliance requiring maintenance is used, a valid maintenance contract MUST exist for it. It MUST be ensured that only qualified personnel installs VPN components. The installation of VPN components and any deviations from planning specifications SHOULD be documented. The functionality and selected security mechanisms of the VPN MUST be checked before commissioning.
NET.3.3.A4 Secure Configuration of a VPN (B)
A secure configuration MUST be specified for all VPN components. This SHOULD be appropriately documented. The person responsible for administration MUST also regularly check whether the configuration is still secure and adapt it if necessary for all IT systems.
NET.3.3.A5 Blocking No Longer Needed VPN Accesses (B)
It MUST be regularly checked whether only authorized IT systems and users can access the VPN. VPN accesses that are no longer needed MUST be deactivated promptly. VPN access MUST be restricted to the required usage times.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.
NET.3.3.A6 Conducting a VPN Requirements Analysis (S)
A requirements analysis SHOULD be carried out to determine the deployment scenarios for the respective VPN and to derive requirements for the required hardware and software components. The following points SHOULD be considered in the requirements analysis:
- business processes or professional tasks,
- access paths,
- identification and authentication methods,
- users and their permissions,
- responsibilities, and
- reporting channels.
NET.3.3.A7 Planning of the Technical VPN Implementation (S)
In addition to general planning (see NET.3.3.A1 Planning of VPN Deployment), the technical aspects of a VPN SHOULD be carefully planned. The encryption methods, VPN endpoints, permitted access protocols, services, and resources SHOULD be defined for the VPN. In addition, the subnets accessible via the VPN SHOULD be defined (see NET.1.1 Network Architecture and Design).
NET.3.3.A8 Creation of a Security Policy for VPN Use (S)
A security policy for VPN use SHOULD be created. This SHOULD be made known to all employees. The security measures described in the security policy SHOULD be explained in the course of training. When a VPN access is set up for employees, they SHOULD be given a reference card with the most important VPN security mechanisms. All VPN users SHOULD be obligated to comply with the security policies.
NET.3.3.A9 Appropriate Selection of VPN Products (S)
When selecting VPN products, the institutions’ requirements for the networking of different sites and the connection of mobile employees or remote workplaces SHOULD be taken into account.
NET.3.3.A10 Secure Operation of a VPN (S)
An operational concept SHOULD be created for VPNs. Quality management, monitoring, maintenance, training, and authorization SHOULD be taken into account therein.
NET.3.3.A11 Secure Connection of an External Network (S)
It SHOULD be ensured that VPN connections are ONLY established between the IT systems and services intended for this purpose. The tunnel protocols used SHOULD be suitable for the deployment.
NET.3.3.A12 Account and Access Management for Remote Access VPNs (S)
For remote access VPNs, central and consistent account and access management SHOULD be ensured.
NET.3.3.A13 Integration of VPN Components into a Firewall (S)
VPN components SHOULD be integrated into the firewall. This SHOULD be documented.
Requirements for High Protection Needs
No requirements for high protection needs are defined for this building block.
Additional Information
Good to Know
The International Organization for Standardization (ISO) provides specifications for the use of VPNs in standard ISO/IEC 27033-5:2013 “Information technology - Security techniques - Network security - Part 5: Securing communications across networks using Virtual Private Networks (VPNs).”
The National Institute of Standards and Technology (NIST) provides general specifications for the use of VPNs in its Special Publication 800-77 “Guide to IPsec VPNs.”