Virtual Private Networks Security Risks

Security Risks
The key security risk with communications over an insecure network is that sensitive information may be
accessible to unauthorized parties, leading to unauthorized disclosure and/or modification. In addition to the
risks typically associated with local and wide area networking, the typical risks associated with VPNs include:
— insecure implementation through:
• an untested or defective cipher suite,
• a weak shared secret that could be easily guessed,
• poor network topology,
• uncertainty about the security of the remote client,
• uncertainty about the authentication of users,
— uncertainty about the security of the underlying service provider,
— poor performance or availability of service,
— non compliance with regulatory and legislative requirements on the use of encryption in certain countries.

Security Controls
In VPNs, cryptographic techniques are commonly used in networking and/or application protocols to
implement security functionality and services, especially if the network on which the VPN is built is a public
network (for example, the Internet). In most implementations the communications links between the
participants are encrypted to ensure confidentiality, and authentication protocols are used to verify the identity of the systems connected to the VPN. Typically, the encrypted information travels through a secure 'tunnel' that connects to an organization's gateway, with the confidentiality and integrity of the information maintained.

The gateway then identifies the remote user and lets the user access only the information they are authorized
to receive. Thus, a VPN is a mechanism based on protocol tunneling - treatment of one complete protocol (the client protocol) as a simple stream of bits and wrapping it up in another (the carrier protocol). Normally, the VPN carrier protocol provides security (confidentiality and integrity) to the client protocol(s). In considering the use of VPNs, the architectural aspects that should be addressed include:
— endpoint security,
— termination security,
— malicious software protection,
— authentication,
— intrusion detection,
— security gateways (including firewalls),
— network design,
— other connectivity,
— split tunneling,
— audit logging and network monitoring,
— technical vulnerability management.