View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
August 16, 2007

VPN security is still an issue

Virtual private network security still remains an issue. A recent report on penetration tests carried out on the virtual private networks of UK organizations shows that 73% have at least one medium-level flaw that could result in external users disrupting their services. Clearly, IT departments need to focus on addressing this security issue to avoid such disruption.

By CBR Staff Writer

Virtual private networks (VPNs) are now a common feature of all teleworking environments and corporate communication networks. Originally developed to provide site-to-site connectivity, most VPN connections today are used by remote or mobile workers linking to corporate or partner networks. They provide organizations with a cost-effective way to extend geographic connectivity, while at the same time maintaining some security.

VPNs provide an alternative to the traditional wide area network (WAN), and enable secure communications across a public network such as the internet. By implementing a VPN, an organization can provide access to the corporate network from other networks and individual users.

Traditional VPNs rely on Internet protocol security (IPSec) to ‘tunnel’ between two endpoints. IPSec works on the network layer of the OSI model, securing all data that travels between the two endpoints, and is independent of any specific application. When connected to an IPSec VPN, the client device is ‘virtually’ connected to the corporate network, and is potentially able to see the entire network, and all the resources on it.

These test results appear to show that most company VPNs represent a security risk. However, the results are more alarming than that, in that they show that the average number of vulnerabilities has increased from nine to 11 over the last 12 months, which was the last time the penetration tests were performed. Therefore, because these results were performed by security testing firm NTA Monitor on its customers, they are potentially even more alarming.

It would be safe to assume that if an organization takes the trouble to employ a specialist firm, this makes them probably more aware than others of the risks and vulnerabilities of VPNs, and therefore we can surmise that, if the tests were performed on a random selection of organizations, the results would be even worse.

The report states that many of these vulnerabilities can be addressed by improvements in the housekeeping activities performed by IT departments.

While organizations might be consolidating and co-locating their IT resources, many are simultaneously dispersing their human resources to a range of different locations. Connecting these resources to one another in a secure, manageable, and cost-effective way is a fundamental IT requirement, and is driving the market for VPN solutions. A well-designed VPN can benefit an organization in several ways, ranging from increased workforce mobility to telecommunication cost reduction. However, as these results demonstrate, corporate VPNs are not as secure as many think, and represent an area where IT departments must improve if service disruption to corporate users is to be avoided.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Source: OpinionWire by Butler Group (

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.