Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
VPN Review

VPN Review



|Views: 496|Likes:
Published by adiltsa
VPN Review
VPN Review

More info:

Categories:Types, Brochures
Published by: adiltsa on Aug 05, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





 The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that applyspecifically to IS auditing. One of the goals of the Information Systems Audit and Control Association
) is to advance globallyapplicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACAprofessional contribution to the audit community. The framework for the IS Auditing Standards provides multiple levels of guidance.
define mandatory requirements for IS auditing and reporting. They inform:
IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Codeof Professional Ethics for IS auditors
Management and other interested parties of the profession’s expectations concerning the work of practitioners
Holders of the Certified Information Systems Auditor 
) designation of requirements. Failure to comply with these standards mayresult in an investigation into the CISA holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately,in disciplinary action.
provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieveimplementation of the standards, use professional judgment in their application and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.
provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provideinformation on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS AuditingProcedures is to provide further information on how to comply with the IS Auditing Standards.
resources should be used as a source of best practice guidance. Each of the following is organised by IT management process, asdefined in the C
. C
T is intended for use by business and IT management as well as IS auditors; therefore, its usageenables the understanding of business objectives, and communication of best practices and recommendations, to be made around acommonly understood and well-respected standard reference. C
T includes:
Control Objectives
—High-level and detailed generic statements of minimum good control
Control Practices
—Practical rationales and guidance on how to implement the control objectives
 Audit Guidelines
—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance, andsubstantiate the risk of controls not being met
Management Guidelines
—Guidance on how to assess and improve IT process performance, using maturity models, metrics and criticalsuccess factors
of terms can be found on the ISACA web site at
. The words audit and review are used interchangeably.
ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professionalresponsibilities set out in the ISACA Code of Professional Ethics for IS auditors
ISACA makes no claim that use of this product will assure asuccessful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other proceduresand tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, thecontrols professional should apply his/her own professional judgment to the specific control circumstances presented by the particular systems or information technology environment.The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures.Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The StandardsBoard also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. TheStandards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties toidentify emerging issues requiring new standards. Any suggestions should be e-mailed (
), faxed (+1.847. 253.1443) or mailed (address at the end of document) to ISACA International Headquarters, for the attention of the director of research standards andacademic relations.This material was issued on 1 April 2004.
Information Systems Audit and Control Association 2003-2004 Standards Board
Chair, Claudio Cilli, Ph.D., CISA, CISM, CIA, CISSP Value Partners, ItalySvein Aldal Scandinavian Business Security AS, NorwayJohn W. Beveridge, CISA, CFE, CGFM, CQA Commonwealth of Massachusetts, USASergio Fleginsky, CISA PricewaterhouseCoopers, UruguayChristina Ledesma, CISA, CISM Citibank NA Sucursal, UruguayAndrew MacLeod, CISA, FCPA, MACS, PCP, CIA Brisbane City Council, AustraliaRavi Muthukrishnan, CISA, CISM, FCA, ISCA NextLinx India Private Ltd., IndiaPeter Niblett, CISA, CA, CIA, FCPA WHK Day Neilson, AustraliaJohn G. Ott, CISA, CPA Aetna Inc., USA
Page 2 Review of Virtual Private Networks Guideline
1. BACKGROUND1.1 Linkage to Standards1.1.1
Standard S6 Performance of Audit Work states, "During the course of the audit, the IS auditor should obtain sufficient, reliable andrelevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysisand interpretation of this evidence."
Guideline G16 Effect of Third Parties on an Organisation’s IT Controls provides guidance.
Guideline G17 Effect of Nonaudit Roles on the IS Auditor’s Independence provides guidance.
Linkage to C
states, "It is management's responsibility to safeguard all the assets of the enterprise. To discharge thisresponsibility, as well as to achieve its expectations, management must establish an adequate system of internal control."
Management Guidelines
provides a management-oriented framework for continuous and proactive control self-assessmentspecifically focused on:
Performance measurement—How well is the IT function supporting business requirements?
IT control profiling—What IT processes are important? What are the critical success factors for control?
Awareness—What are the risks of not achieving the objectives?
Benchmarking—What do others do? How can results be measured and compared?
Management Guidelines
provides example metrics enabling assessment of IT performance in business terms. The key goalindicators identify and measure outcomes of IT processes, and the key performance indicators assess how well the processes areperforming by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessmentsand benchmarking, helping management to measure control capability and identify control gaps and strategies for improvement.
Management Guidelines
can be used to support self-assessment workshops and can also be used to support the implementationby management of continuous monitoring and improvement procedures as part of an IT governance scheme.
T provides a detailed set of controls and control techniques for the information systems management environment. Selectionof the most relevant material in C
T applicable to the scope of the particular audit is based on the choice of specific C
T ITprocesses and consideration of C
T’s information criteria.
The C
T references located in the appendix of this document offer the specific objectives or processes of C
T to consider when reviewing the area addressed by this guidance.
 1.3 Need for Guideline1.3.1
The purpose of this guideline is to describe the recommended practices in carrying out the review of virtual private network (VPN)implementations so that the relevant IS Auditing Standards are complied with during the course of the review.
Virtual Private Networking—New Issues for Network Security 
, published by the IT Governance Institute, defines VPN as a:“…network of virtual circuits that carries private traffic through public or shared networks such as the Internet or those provided bynetwork service providers (NSPs).” For the purpose of this guideline, this definition of VPN is used.
In the context of VPN, the terms “tunnel” and “tunneling” are often used. The process of encapsulating one type of packet inanother packet type so the data can be transferred across paths that otherwise would not transmit the data is called tunneling. Thepaths the encapsulated packets follow in an Internet VPN are called tunnels.
2.2 VPN Models2.2.1
There are three common VPN models for deployment. The major differences among the models are in the location of their serviceend points or tunnel end points, the level of management required, quality of service, and the reliance on direct service provider involvement. The three most common models are:
Pure provider model
Hybrid provider model
End-to-end model
In the pure provider model, most of the VPN functionality is built into the service provider infrastructure and not in the network of the organisation. This model is often deployed over one service provider’s network. There is a clear line of distinction between theorganisation’s network and the service provider’s network. Remote access to the organisation’s network is typically provided by adedicated circuit (such as, T1, T3), ATM connections or dedicated frame relay connections. The customer owns and operates theremote access VPN-related equipment and software in the network, while equipment and software inside the service provider’snetwork, from the physical circuit out, is owned and operated by the service provider. The service provider initiates VPN tunnelsfrom edge-to-edge of the network and relies on the private circuits on either end for security. In this model, the provider has a highlevel of control over the network and is responsible for capacity planning, design, configuration, diagnostics and troubleshooting.
Review of Virtual Private Networks Guideline Page 3
The hybrid provider model involves the networks of both the service provider and the organisation. A VPN tunnel is initiated frominside the provider’s network, and the tunnel is terminated at the organisation’s network. In this model, the service provider isresponsible for the initiation of the VPN tunnels for the remote users after the users are authenticated. When the remote user reaches the organisation’s network, a second authentication may be required before being granted access permission to theprivate network. Users can access the network facilities as if they are directly connected to the enterprise LAN, once they areauthenticated.
In the end-to-end model, the service provider serves only as a transport for the VPN data. The service end points or tunnelingcould be the desktop or a VPN device that serves as a proxy for multiple desktops. Both service end points are outside the serviceprovider’s network. This model can be used for remote access or to connect multiple sites.
2.3 VPN Usage2.3.1
There are various ways to use a VPN, depending upon the model used. The most common are
Site-to-site connectivity
Remote access connectivity
Extended enterprise extranet connectivity
The site-to-site connectivity provides separate intranets to connect securely, effectively creating one large intranet. Site-to-siteVPNs are often used by geographically distributed organisations to create a single logical network.
The remote access connectivity permits mobile employees to access the organisation’s intranet, via the Internet, using a securenetwork communications. This is used in combination with global dial-up, wireless and broadband ISPs. Many organisations useremote access VPNs to provide low-cost network accessibility to their employees.
Extended enterprise extranet connectivity
provides connections to networks outside the enterprise. Business, research or marketing partners often use these to speed communications through secured connections. Generally, extranets have stronger controls in place to allow, manage and monitor network-to-network traffic, and the internal network may be protected from theextranet via firewalls.
2.4 VPN Architecture
There are many possible options for installing VPNs. A VPN supplied by a network service provider is one of the most commonapproaches to connect an organisation to the Internet. The VPN architecture in any organisation could be one or combinations of the following:
Firewall-based VPNs
Router-based VPNs
Remote access-based VPNs
Hardware (black box)-based VPNs
Software-based VPNs
The firewall-based VPNs are the most common form of implementation. Since most organisations already use a firewall toconnect to the Internet, they need to add encryption software and some kind of authorisation software.
There are two types of router-based VPNs. In one, software is added to the router to allow encryption to occur. With the secondtype, a third-party vendor-supplied external card must be inserted into the same chassis as the router to off-load the encryptionprocess from the router’s CPU to the card.
With remote access-based VPNs, someone from a remote location can create an encrypted packet stream or tunnel to a networkdevice in the organisation.
With hardware (black box)-based VPNs, the vendor offers a black box, or a device with encryption software, to create a VPNtunnel. The black box VPN device is ordinarily behind the firewall or on the side of the firewall to secure the data, but in fact theVPN system may be wholly independent of the firewall.
In software-based VPNs, the software handles the tunneling to another client or encryption of packets. Software is loaded on theclient and the server. Traffic starts from a specific client within the organisation and makes a connection to a server located at theremote site. Traffic leaving the client is encrypted or encapsulated, and routed to its destination. The same applies for someonetrying to connect to the internal network.
2.5 VPN Configuration/Topology2.5.1
When configuring the VPN, parameters must be set for key length, authentication servers, connection and idle timeouts, certificategeneration and key generation, and distribution mechanisms. There are numerous ways to configure and implement VPNarchitecture and to place the architecture in a VPN topology. Organisations could use one or combinations of the following mostcommonly used topologies in a VPN configuration:
Hardware and software VPN
Firewall-to-client is the most commonly used topology, and it applies to remote users who dial into an internal network
is the second most commonly used topology. It extends the firewall-to-client topology to different remote offices andamong offices, business partners and suppliers when a VPN tunnel has been created between two sites.
In firewall-to-intranet/extranet topology, intranets are used by employees and extranets are used externally by customers,business partners and suppliers. When remote users try to access servers on the extranet or intranet, a decision must be made asto which server they may access.

Activity (7)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
jrfrmem liked this
jrfrmem liked this
pradeepmanral liked this
muzammils liked this
c4kep_b4nget liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->