VPNs: Vulnerable Private Networks?

The classic network model of the roaring nineties is long gone. Many people still talk about "inside" and "outside" the firewall in relation to viruses, worms, Trojans and virtually every other threat. This is an immediate sign that you're dealing with a rookie.

Why? Well the answer is simple: the VPN.

Virtual Private Networks (VPNs, define) are a top technology where important security concerns are often overlooked. VPNs blur the lines of where network boundaries begin and end. Sure, companies spend millions on familiar antivirus products, but rarely do they overspend to understand where new threats may be breeding. And since VPN technology has only recently proven its utility, many organizations are rushing to drop it in. This creates two areas of concern.

The first is, "Who really understands what this device does?" and the second, "How does it affect our current security stance?" VPN vendors are competing for a hold in this highly competitive market. They have all added a dizzying array of feature sets to their product lines.

Unfortunately, most IT shops don't have a dedicated security team to call on for answers so the senior technician is tasked with understanding technologies that can fill entire four-year degree programs. VPNs open your organization to a new league of threats.

But all is not lost.

There are several things that can be done before you find yourself in a crisis. The first is to understand how your VPN extends the network. Do this by testing the features you want to use in a lab environment. See if viruses can pass through the device from an infected home user or contractor. Find out if it uses standard protocols or if it has vendor specific protocol sets and the implications of each. Test how traffic flows and how you can manage it.

Pay close attention to split tunneling, that is, can the users connect to your organization while at the same time connect to the open Internet or other hostile networks. Be sure your solution allows for client side policy enforcement. This is the biggest and most important feature of any VPN solution because you can effectively force VPN users to have a certain level of protection before entering your organization.

Finally, "blackbox" test the solution. Throw everything but the kitchen sink at it to see how it holds up. You will be surprised how many big name products overlook security issues while in a rush to get their product out to market. Once you sort these things out, see if you can mold the device to your current security policy. If your policy doesn't address these concerns, you'd better get one in place that does.

Remember, classic computing models are dead. You have to adapt your current practices and policies to fit the new face of network computing.

Page 2: Applications: What's under the hood?