IS Auditing Guidelines G1 Using the Work of Other Experts
APPENDIX COBIT Reference
2. VIRTUAL PRIVATE NETWORK (VPN) 1 Definition
2.1.1 Virtual Private Networking—New Issues for Network Security, published by the IT Governance Institute, defines VPN as a: “network of virtual circuits that carries private traffic through public or shared networks such as the Internet or those provided by network service providers (NSPs).” For the purpose of this guideline, this definition of VPN is used.
2.1.2 In the context of VPN, the terms “tunnel” and “tunneling” are often used. The process of encapsulating one type of packet in another packet type so the data can be transferred across paths that otherwise would not transmit the data is called tunneling. The paths the encapsulated packets follow in an Internet VPN are called tunnels.
2.2 VPN Models
2.2.1 There are three common VPN models for deployment. The major differences among the models are in the location of their service end points or tunnel end points, the level of management required, quality of service, and the reliance on direct service provider involvement. The three most common models are:
Pure provider model
Hybrid provider model
End-to-end model2.2.2 In the pure provider model, most of the VPN functionality is built into the service provider infrastructure and not in the network of the organisation. This model is often deployed over one service provider’s network. There is a clear line of distinction between the organisation’s network and the service provider’s network. Remote access to the organisation’s network is typically provided by a dedicated circuit (such as, T1, T3), ATM connections or dedicated frame relay connections. The customer owns and operates the remote access VPN-related equipment and software in the network, while equipment and software inside the service provider’s network, from the physical circuit out, is owned and operated by the service provider. The service provider initiates VPN tunnels from edge-to-edge of the network and relies on the private circuits on either end for security. In this model, the provider has a high level of control over the network and is responsible for capacity planning, design, configuration, diagnostics and troubleshooting.
G25 Review of Virtual Private Networks cont.
2.2.3 The hybrid provider model involves the networks of both the service provider and the organisation. A VPN tunnel is initiated from inside the provider’s network, and the tunnel is terminated at the organisation’s network. In this model, the service provider is responsible for the initiation of the VPN tunnels for the remote users after the users are authenticated. When the remote user reaches the organisation’s network, a second authentication may be required before being granted access permission to the private network. Users can access the network facilities as if they are directly connected to the enterprise LAN, once they are authenticated.
2.2.4 In the end-to-end model, the service provider serves only as a transport for the VPN data. The service end points or tunneling could be the desktop or a VPN device that serves as a proxy for multiple desktops. Both service end points are outside the service provider’s network. This model can be used for remote access or to connect multiple sites.
2.3 VPN Usage
2.3.1 There are various ways to use a VPN, depending upon the model used. The most common are:
Site-to-site connectivity
Remote access connectivity
Extended enterprise extranet connectivity2.3.2 The site-to-site connectivity provides separate intranets to connect securely, effectively creating one large intranet. Site-to-site VPNs are often used by geographically distributed organisations to create a single logical network.
2.3.3 The remote access connectivity permits mobile employees to access the organisation’s intranet, via the Internet, using a secure network communications. This is used in combination with global dial-up, wireless and broadband ISPs. Many organisations use remote access VPNs to provide low-cost network accessibility to their employees.
2.3.4 Extended enterprise extranet connectivity provides connections to networks outside the enterprise. Business, research or marketing partners often use these to speed communications through secured connections. Generally, extranets have stronger controls in place to allow, manage and monitor network-to-network traffic, and the internal network may be protected from the extranet via firewalls.
2.4 VPN Architecture
2.4.1 There are many possible options for installing VPNs. A VPN supplied by a network service provider is one of the most common approaches to connect an organisation to the Internet. The VPN architecture in any organisation could be one or combinations of the following:
Firewall-based VPNs
Router-based VPNs
Remote access-based VPNs
Hardware (black box)-based VPNs
Software-based VPNs2.4.2 The firewall-based VPNs are the most common form of implementation. Since most organisations already use a firewall to connect to the Internet, they need to add encryption software and some kind of authorisation software.
2.4.3 There are two types of router-based VPNs. In one, software is added to the router to allow encryption to occur. With the second type, a third-party vendor-supplied external card must be inserted into the same chassis as the router to off-load the encryption process from the router’s CPU to the card.
2.4.4 With remote access-based VPNs, someone from a remote location could create an encrypted packet stream or tunnel to a network device in the organisation.
2.4.5 With hardware (black box)-based VPNs, the vendor offers a black box, or a device with encryption software, to create a VPN tunnel. The black box VPN device is ordinarily behind the firewall or on the side of the firewall to secure the data, but in fact the VPN system may be wholly independent of the firewall.
2.4.6 In software-based VPNs, the software handles the tunneling to another client or encryption of packets. Software is loaded on the client and the server. Traffic starts from a specific client within the organisation and makes a connection to a server located at the remote site. Traffic leaving the client is encrypted or encapsulated, and routed to its destination. The same applies for someone trying to connect to the internal network.
2.5 VPN Configuration/Topology
2.5.1 When configuring the VPN, parameters must be set for key length, authentication servers, connection and idle timeouts, certificate generation and key generation, and distribution mechanisms. There are numerous ways to configure and implement VPN architecture and to place the architecture in a VPN topology. Organisations could use one or combinations of the following most commonly used topologies in a VPN configuration:
Firewall-to-client
LAN-to-LAN
Firewall-to-intranet/extranet
Hardware and software VPN2.5.2 Firewall-to-client is the most commonly used topology, and it applies to remote users who dial into an internal network.
2.5.3 LAN-to-LAN is the second most commonly used topology. It extends the firewall-to-client topology to different remote offices and among offices, business partners and suppliers when a VPN tunnel has been created between two sites.
2.5.4 In firewall-to-intranet/extranet topology, intranets are used by employees and extranets are used externally by customers, business partners and suppliers. When remote users try to access servers on the extranet or intranet, a decision must be made as to which server they may access.
2.5.5 Hardware and software VPNs are stand-alone devices designed to implement VPN technology algorithms. A VPN device is ordinarily behind the firewall on the internal network. Data packets flow through the firewall and the VPN device. As the packets pass through these devices, they can be encrypted. Generally in software encryption models like SSL protocol, the special devices (authentication) are not required and the packet flow is encrypted by the software.
2.5.6 VPN technologies and protocols include:
PPTP (point to point tunneling protocol)
L2TP (layer 2 tunneling protocol)
IPSec (Internet protocol security)
SSL (secure socket layer)3. RISKS ASSOCIATED WITH VPNs