Old VPNs and Access

While reviewing logs last week, I noticed that a VPN server over at our DR site was still online. This particular server should have been removed a year ago when we transitioned to a new VPN software. I didn’t have a copy of the old VPN software installed anywhere but I remembered that if I connected on the VPN port, that it would answer with a banner. Sure enough the VPN was still on line.
That’s the problem with development firewalls and DR sites, they don’t get used that often and as a result they can be forgotten. That’s not good for security. I notified the VPN and Operating System admins who disabled the VPN immediately. It looks like the VPN admin tried to disable the product, but didn’t do it correctly.
The lesson is kind of obvious, know what you have. Also, trust but verify. The old VPN access should have been removed from the firewall rules when its approval to exist expired. No one verified that this actually happened.