We have already discussed several aspects of VPN integration. Other VPN issues also need to be considered when designing a VPN architecture. Two items that are particularly important are the usage of proprietary VPN systems and issues caused by compromised or malicious VPN clients.
Proprietary VPN Implementations
In the "IPSec Server Integration" section, we mentioned that some IPSec implementations do not strictly adhere to the IPSec standard and might be considered proprietary. In addition, some VPN solutions implement proprietary VPN protocols or proprietary versions of standard VPN protocols. Such solutions require users to install a particular VPN client on their workstations. You must be particularly careful when evaluating a proprietary VPN product to ensure that it has client software available for all the operating systems your users might utilize. Also, keep in mind that as new versions of operating systems are released, a significant lag might be present before the proprietary client software is available for that operating system.
Compromised or Malicious VPN Clients
Because VPN client hosts are usually external and are typically not under the control of your organization, your environment might be at serious risk if one or more of the client hosts is compromised or is acting maliciously. When a VPN connection is established between a client and your network, you can consider that client to be on an extended portion of your network. If Trojans have compromised the client hosts, remote attackers might be able to connect to a host and pass through the VPN connection onto your network. Depending on your VPN architecture and perimeter defenses, attackers might be able to enter your internal network and do serious damage to your resources.
To make this situation even worse, VPNs complicate the monitoring of network activity. Because by definition VPNs encrypt traffic, they can interfere with the normal operation of network intrusion detection systems (IDSs), antivirus software, content monitoring software, and other network security measures. When you are planning a VPN implementation, you should pay particular attention to where your network security systems currently reside. Your VPN should be designed so that decrypted traffic from it passes through your regular network security systems. Alternatively, you might have to move or add network security measures so that the traffic is monitored. For example, an additional network IDS sensor might need to be deployed, or host IDS software might need to be added. If you do not monitor the traffic that has been sent through the VPN, you greatly increase the risk of incidents from external clients occurring through your VPN.