Return on investment (ROI) will be the business term of 2002, therefore, technology-driven projects that deliver ROI will be high on the corporate agenda.
Encrypted VPNs are one of the few security-based solutions that can truly be regarded as business enablers.
For this reason we can expect VPNs to be strong budget contenders in 2002, but can we be sure that any ROI gained will not be wiped out in the first few months of deployment?
The Insecure Solution
Many organizations have deployed VPNs as a quick-win solution and have suffered as a result of not implementing a full solution. There is a wide array of companies still needing to solve security issues as a result of hastily rolled out VPN solutions.
Probably the greatest risk to the implementation of VPNs is the onslaught of cowboys jumping on the VPN bandwagon. Many networking companies have branched out to include this type of encrypted VPN solution as a service with little understanding of the security implications. Although cowboys are able to implement a technology-based solution they are unable to deliver what is required for a secure solution. Added to this is the fact that the technology portion of a security solution (hardware/software) is only 20 percent of the total solution.
For example, an organization has a VPN solution installed by cowboys at 12 o'clock, a vulnerability is released at 12:01 and a new patch is available by 12:05. This technology-based solution is insecure - from day one the organization needs to have security mechanisms in place to ensure that they can maintain security. These mechanisms should be delivered as part of the overall solution.
So what are the security implications to your VPN solution if you only have 20 percent of the total solution?
Like all security solutions the 20 percent is nothing without the 80 percent soft security, i.e. policies and procedures. A VPN implemented without policies and procedures will very soon become a non-secure solution. The last 18 months have proved this; the Code Red attack would never have caused as much damage if the right policies and procedures had been in place to ensure that systems were patched.
Time after time companies are victims of attacks because they do not have the supporting mechanisms required to maintain the technologies they have in place. An organization should therefore not only look for a technically sound VPN solution meeting all business requirements, but they should also look for a solution that delivers supporting policies and procedures.
The 80 Percent - Policies and Procedures
Out of 500 respondents of the 2001 InfoWorld Security Solutions Survey, only three percent reported that their companies have no formal security policies. How many could say the same about specific security policies for their VPN solution? A high-level corporate policy will have little bearing on individual network solutions and therefore specific security policies and procedures must be delivered for each solution.
A VPN policy should discuss, at a high level, what an organization will and will not allow. Too, this policy should be enforceable. Like any other security policy, a VPN policy is only effective if it is distributed to all users of the VPN for reading and signature. In addition, policies created for a VPN solution should feed into or reference other corporate security policies where appropriate. For example, the VPN system security policy should reference the corporate incident response procedure for matters of intrusion or incidence.
The following generic policies and procedures are recommended for a VPN solution:
System security policy (SSP) is a policy document that covers (but is not limited to) the following areas:
- the scope of the system (network diagram);
- information classification details of VPN traffic;
- minimum levels of security measures to be implemented;
- responsibilities for enforcing security measures.
Security operating procedures (SyOps) is a procedural document that covers the day-to-day operations of the VPN solution. It sets out activities such as how new VPN client account creation should take place and how new VPN connections should be configured.
System interconnection security policy (SISP) is a policy document detailing the security standard for interconnecting to other VPN sites not under the same SSP. The SISP is specific to the particular VPN connection and can be written as a standard or on a per connection basis. This document is especially important when using VPNs for e-business.
A VPN solution will also require updates to existing policies and procedures documents such as:
- firewall policy and procedures - allowing VPN traffic;
- IDS policy and procedures - removing signatures to reduce false positives from VPN traffic;
- router policy - allowing VPN traffic through screening routers;
- Internet usage policy - adding remote client details.
Other Security Considerations
Another important consideration that must be built into every VPN solution is the security of the VPN client. The days when all devices and persons attached to the network sat together in the same room have long gone, making maintenance of perimeter security a difficult task. Remote VPN users should be viewed as a network gateway and treated accordingly. The following features should therefore be available from the remote VPN client:
- firewall capabilities to prevent the remote user from becoming a bridge between the Internet and the corporate network;
- capability to update VPN client policy remotely;
- capability to update OS (patches, new applications, virus software, etc.).
All remote VPN users should be forced to enter the corporate network before using any external resources such as email or web browsing. In taking this approach, the various usage and security policies can be enforced upon all users.
Whether the VPN solution is implemented by internal or external resources, there are certain supporting deliverables that should always be produced. These deliverables should provide information for auditing, troubleshooting, configuration management and other operational business functions. The following is a suggested guide to the deliverables required to support a VPN solution:
- Low-level design: Showing network topology, addressing scheme, encryption scheme and all other non device-specific technical information.
- Build guides: Detailing each device's configuration, it should include physical aspects (location, serial numbers, etc.)
- Roll-out documentation: Procedures for addition of new VPN devices or clients.
A VPN Security Health Check for IT Managers
Does your current VPN solution meet the minimum grade? Test it by answering the following 10 questions:
1. Was the solution implemented in line with existing corporate
2. Was strong authentication used for user authentication?
3. Was a system interconnection security policy (SISP) supplied with
4. Was a VPN system security policy (SSP) supplied?
5. Were system operating procedures (SyOps) supplied?
6. Was a low-level technical design supplied?
7. Was build guide documentation supplied?
8. Was an audit carried out upon the implemented solution?
9. Does the VPN gateway reside outside the corporate environment
(in a firewall demilitarized zone)?
10. Was VPN client security considered?
If the answer is 'no' to any of these questions then a review of the security aspects of the implemented VPN solution should be carried out.
The final check for your VPN solution should be a full audit to confirm compliance with all corporate policies and procedures. A penetration test can be used as a tool to confirm the technical aspects of compliance.
Once compliance is achieved, the security or IT manager can accredit the system, allowing the business to begin using the new solution. Regular internal audits and irregular external audits should take place to ensure continued compliance.
If your organization's network is compromised due to poor VPN solution security, the costs could run into the thousands, with the initial ROI being wiped out in a single incident. Therefore, it is business critical that the VPN solution is not seen as a technology-based solution only but the wider security issues are considered.
It's the 80/20 rule. Ensure your organization is aiming for 100 percent security and not just the easy win 20 percent.
Simon Jenner, CISSP, is a principal security consultant with Trinity Security Services (TSS), a U.K.-based independent security professional services company specializing in providing security solutions to service provider and global enterprises (www.trinitysecurity.com).