@@ -323,21 +323,26 @@ A VPN server is responsible for maintaining tunnels between VPN clients and the
(previously ### 4.4.1)
The physical environment a VPN product may be deployed in affects the risks and potential risk transfers.
VPN products may be deployed in various different environment such as different physical devices as well as different physical networks.
The physical environment a VPN product may be deployed in affects the applicable risks and enables potential risk transfers.
VPN products may be deployed in various different environments such as different physical devices as well as different physical networks.
Devices may include:
***Network devices**: VPN products are often deployed on network devices to tunnel traffic to a remote endpoint. Such network devices (for exmaple a router) are usually located on the edge between a private and public netowrk and thus exposed to internal as well as external attack surfaces. A firewall is usually incuded by the underlying hardware system for such network devices.
***Internet of Things, Consumer Gagets and Applicances**: VPN products could be used on IoT devices, consumer gadgets, TVs or other applicances where the product is bound to the security model of the device hardware and operating system. The device might lack proper hardware security modules, firewall support, or enforce a relaxed security model (for example requiring the product to run as root without proper isolation between applicaions and users). Such devices are usually placed in private networks.
***Consumer Devices**: VPN products are often deployed on consumer devices such as tablets, computers or laptops of various operating systems. The prodct is bound to the security model of the device hardware and operating system. While such devices usually support firewalls, proper user isolation, the actual security configuraiton of such systems depends on the security awreness of the operating administrating user.
***Managed Endpoints**: Managed endpoints are professionally managed instances which are usually located on a physical or virtal server in a data center. While the firewall configuration is done by the administrating user, this user is assumed to have advanced security knowledge. Further, the server is usually located in an access restricted data center which transfers physical risk (for exmaple memory snapshotting or injections) to the data center provider.
There are various types of devices, but they all share that the firewall is managed by the underlying system and outside of the control of the VPN product.
Network environment may include:
***Secure professionally managed environment**: In professionally managed environments usually utalize a securely managed firewall, isolated network and applicaion environments, properly configured and hardent operating systems, as well as proper security event monitoring to detect intruders or malicious activities. Devices are usually located in an access restricted environment such as data centers or private homes.
***Private home network**: Private home networks are usually an isolated network which is protected by the router's firewall configuraiton. Devices deployed inside the private home network can freely communicate which imposes a risk if one or many of the devices in the private home network is compromised. Network traffic in such environment could be intercepted and inspected on outbound network devices. Physical risks to devices located in a private home network are unlikley since most of the devices are located in the private and access restricted environemtn of the user.
***Public network**: Public networks usually lack proper security configuration and network traffic might be evesdroped, tampered or intercepted. The network may contain hostile devices and malicious users since the environment is not access restricted. Physical risks can not to be ruled out (for example it might be possible that a laptop gets stolen in a public network).
***Restricted/Monitored Networks**: Access to certain content might be restricted in certain networks through deep package inspection. Internet service providers or network administrator might restricte or disallow VPN traffic affecting the availability of the VPN connection.
***Network devices**: VPN products are often deployed on network devices to tunnel traffic to remote endpoints. Such network devices (for example a router) are usually located on the edge between a private and public network and thus exposed to internal as well as external attack surfaces. A firewall is usually included by the underlying OS or hardware system for such network devices.
***Internet of Things, Consumer Gadgets and Appliances**: VPN products could be deployed on IoT devices, consumer gadgets, TVs or other appliances where the product is bound to the security model of the device hardware and operating system. The device might lack proper hardware security modules, firewall support, or enforce a relaxed security model (for example requiring the product to run as root without proper isolation between applications and users). Such devices are usually placed in private networks.
***Consumer Devices**: VPN products are often deployed on consumer devices such as tablets, computers or laptops of various operating systems. The product is bound to the security model of the hardware and operating system. While such devices usually support firewalls, proper user isolation, the actual security configuration of such systems depends on the security awareness of the operating administrating user. Consumer devices are located in private networks.
***Managed Endpoints**: Managed endpoints are professionally managed instances which are usually located on a physical or virtual server in a data center. While the firewall configuration is done by the administrating user, this user is assumed to have advanced security knowledge. Further, the server is usually located in an access restricted data center which transfers physical risk (for example memory snapshotting or injections) to the data center provider.
Devices might be located in insecure networks, which could include one or even a combination of the following networks:
***Secure professionally managed environment**: In professionally managed environments usually utilize a securely managed firewall, isolated network and application environments, properly configured and hardened operating systems, as well as proper security event monitoring to detect intruders or malicious activities. Devices are usually located in an access restricted environment such as data centers or private homes.
***Private network**: Private networks are usually an isolated network which is protected by the router's firewall configuration. Devices deployed inside the private network can freely communicate which imposes a risk if one or many of the devices in the private network is compromised. Network traffic in such environment could be intercepted and inspected on outbound network devices. Physical risks to devices located in a private network are unlikely since most of the devices are located in the private and access restricted environment of the user.
***Public network**: Public networks usually lack proper security configuration and network traffic might be eavesdropped, tampered or intercepted. The network may contain hostile devices and malicious users since the environment is not access restricted.
***Restricted/Monitored Networks**: Access to certain content might be restricted in certain networks through deep package inspection. Internet service providers or network administrators might restrict or disallow VPN traffic affecting the availability of the VPN connection.