Virtual private networks (VPNs) are now a common feature of all teleworking environments and corporate communication networks. Originally developed to provide site-to-site connectivity, most VPN connections today are used by remote or mobile workers linking to corporate or partner networks. They provide organizations with a cost-effective way to extend geographic connectivity, while at the same time maintaining some security.
VPNs provide an alternative to the traditional wide area network (WAN), and enable secure communications across a public network such as the internet. By implementing a VPN, an organization can provide access to the corporate network from other networks and individual users.
Traditional VPNs rely on Internet protocol security (IPSec) to ‘tunnel’ between two endpoints. IPSec works on the network layer of the OSI model, securing all data that travels between the two endpoints, and is independent of any specific application. When connected to an IPSec VPN, the client device is ‘virtually’ connected to the corporate network, and is potentially able to see the entire network, and all the resources on it.
These test results appear to show that most company VPNs represent a security risk. However, the results are more alarming than that, in that they show that the average number of vulnerabilities has increased from nine to 11 over the last 12 months, which was the last time the penetration tests were performed. Therefore, because these results were performed by security testing firm NTA Monitor on its customers, they are potentially even more alarming.
It would be safe to assume that if an organization takes the trouble to employ a specialist firm, this makes them probably more aware than others of the risks and vulnerabilities of VPNs, and therefore we can surmise that, if the tests were performed on a random selection of organizations, the results would be even worse.
The report states that many of these vulnerabilities can be addressed by improvements in the housekeeping activities performed by IT departments.
While organizations might be consolidating and co-locating their IT resources, many are simultaneously dispersing their human resources to a range of different locations. Connecting these resources to one another in a secure, manageable, and cost-effective way is a fundamental IT requirement, and is driving the market for VPN solutions. A well-designed VPN can benefit an organization in several ways, ranging from increased workforce mobility to telecommunication cost reduction. However, as these results demonstrate, corporate VPNs are not as secure as many think, and represent an area where IT departments must improve if service disruption to corporate users is to be avoided.
Source: OpinionWire by Butler Group (www.butlergroup.com)