2.2 Security risks of VPN
VPNs might sound like a panacea to a number of problems as they can extend, in our example, a corporate network across a wide geographic area via the internet. However, in doing so, they raise a number of new problems.
Security of remote machines
When a remote machine is part of a VPN it effectively creates a new frontier between the ‘secure’ corporate network and the internet. This remote machine now offers a direct route into a corporate network. Previously, it had been relatively simple to secure machines within a corporate network; now the remote user might be using their own computer, network connection, operating system and software – none of which are controlled by the organisation. Worse still, they might be sharing the machine with a number of other users, some of which might not be employed by the organisation. Perhaps the same PC is used to manage corporate documents, as well as downloading pirated music from the internet and playing video games!
The remote machines must themselves be secured from abuse. That may mean enforcing certain minimum standards with regards to operating system, antivirus software, firewalls and so on. Employers may have to stipulate that antivirus software is kept up to date, and that all patches and service packs are installed.
It might be prudent to severely limit what a remote user can access on the internal corporate network when connecting over a VPN.
Security of the VPN implementation
As you learned earlier, the security of various VPN implementations has come under scrutiny. Protocols themselves might be well designed and apparently secure, but the method of implementation, where programmers have taken shortcuts or offered ‘additional convenience’ to the user, may compromise the protection offered.
For instance, there are no major problems with the PPTP protocol, but Microsoft’s implementation of PPTP was found to have a number of serious defects. Microsoft’s implementation of PPTP was introduced in 1996, and hacker software exploiting weaknesses began circulating the following year. Papers describing the weaknesses appeared in 1998, it was only after publication that Microsoft addressed the most serious weaknesses in PPTP by releasing a patch (DUN 1.3), and even then some issues remained unresolved.
In addition to errors in protocol implementations, security vulnerabilities can be introduced if the design or configuration of the overall VPN solution is done incorrectly.
Security of interoperation
VPN is a technology with a number of competing standards, often supported by different vendors. Mixing and matching hardware and software might cause problems. Until technology matures (which is happening at a rapid rate), it might be necessary to use a single technology provider.
Security of network availability
Since VPNs typically rely on the internet for delivering information there are no guarantees about the reliability. The internet cannot guarantee delivery of information from one location to another.
In the next section you are invited to find out more about VPN and share your findings.