Plan, Install and Operate VPN Gateways in Accordance with the BSI’s Basic IT Security Manual

cogWhile the core focus of IT administrators may not be security, they are often tasked with looking after network security, leading them to sometimes feel overwhelmed. They might ask themselves: “How do I know where best to focus? How do I know if my approach is correct?”

Fortunately, such questions can easily be answered.

Have a look at the manual for basic IT security from the Federal Office for Information Security in Germany (BSI). It contains many answers to security questions that IT professionals may have, but unfortunately, not many are familiar with the almost 4,500 pages of information, covering almost all aspects of IT security.

The beauty of the BSI manual is that it’s written fully independent of manufacturers and can be used in almost all system environments. Divided into building blocks, risks and approaches, the manual for basic IT security provides a well-organized introduction and a comprehensive explanation of how to handle IT security matters.

German government agencies have to be certified through the BSI, and all other institutions and companies can also be certified. BSI standards are the basis for the certification, which is compatible with ISO 27001. The implementation is described in the BSI manual.

If an expensive certification is not required, working with the manual for basic IT security makes sense because the manual is free of charge – the current version can be downloaded from the BSI website and an HTML version is also available.

Also, the clear structure is a big plus. If companies lack adequate security planning and a holistic view of IT security, the BSI manual presents a standardized approach built on industry-wide best practices. All building blocks of a cybersecurity strategy are identically constructed, so that once you understand how each element functions, you can use the same approach for all other building blocks.

The Building Blocks

The BSI manual includes a specific building block around VPNs that outlines a very comprehensive process for planning, implementing and operating a remote access infrastructure, independent of the solution used. VPNs are addressed in building block 4.4, which belongs to the “net” level. Within the building block itself, the BSI describes briefly the use of VPNs and types, followed by relevant dangers recognized by the BSI. True to the structured implementation, they are grouped in the categories “Act Of God,” “Organizational Lacking,” “Human Error,” “Technical Faults” and “Premeditated Acts.” The dangers within each group are not exclusive to VPNs.

The Risks

G 3.16 addresses “Faulty Administration of Access Rights,” which includes problems related to all sorts of access rights. When a network administrator understands and addresses the risks resulting from incorrect treatment of access rights in multiple areas within the company, the security level of the company generally benefits from it. Not all dangers have to be relevant for every situation. Whoever uses site-to-site VPN connection does not have to bother administering VPN clients on mobile devices. The manual for basic IT security gives the administrator a free hand as to which risks he or she sees as important and where he or she wants to take steps to mitigate them.

The Measures

The Measures section shows administrators how to mitigate risks and also has a clear structure that isn’t explicitly for VPNs. They follow a different flow, orientated toward the implementation of the technology, from planning and purchasing, to implementation and operation, to selection.

Furthermore, emergency planning is treated as its own category. The spectrum of the measures can range from extremely focused to extremely comprehensive. For example, the first measure in the planning area is carrying out a requirements analysis. This demands that the business processes involved be identified and the application areas and users that come into contact with VPN be listed. Availability, restrictions, possible bandwidths – the list of the factors covered is long. On the other hand, M 4.322 “Revoke no longer needed VPN access” is covered with only half a page of text.

Thousands of Pages, But Worth the Insight

The manual for basic IT security is an extremely helpful tool for IT admins, who want to address IT security within their company, not just generally but also for specific parts of the IT environment, like VPNs. Unfortunately, it is not well-known outside government agencies. Often, IT admins are put off by the big scale of the manual. There are short instructions in a pocketbook-sized version of the manual that provide coverage of all important topics, thereby saving the IT admin’s time and preventing them from having to read through all 4,500 pages of all topics. In any case, a visit to  the BSI website is worth it.


Want to learn more about securing M2M communications? Download our whitepaper “Managing Secure Communications in M2M Environments” to find out more.

Secure M2M Communication

In Managing Secure Communications in M2M Environments, we cover:

– How to choose a connection method that’s right for your application.
– How to configure end devices so they can perform authentication steps.
– How to manage VPN configurations and updates without human interaction.

Download Now

Share on LinkedInShare on FacebookTweet about this on TwitterShare on Google+Pin on Pinterest

Submit a Comment

Your email address will not be published. Required fields are marked *

Captcha: *