165 containing nonalphanumeric characters, that cant be easily guessed. Examples: xf3Kr or batCORE. • Finally, when employees leave, remember to take away their VPN access just as you do their accounts on the local system. Even though tracking them should be easy if they attempt to use it, they could still cause enough havoc and confusion to make life miserable for the rest of the employees—not to mention that VPN access makes it easier for them to leave with trade secrets or software licensed to your company. Why You Shouldnt Route a Multi-Homed Connection Between a Corporate VPN and Another ISP The second item of our acceptable use policy for VPNs mentions not allowing users to multi-home between the corporate VPN and another ISP. Heres an example of why they shouldnt: Bob the software engineer has two ISDN boards in his Windows NT system, one of which he uses to call his favorite ISP, the other he uses to connect to his offices VPN. Each ISDN interface has a separate IP address: one from the ISP, the other for the corporate network. Bob also has routing IP forwarding enabled on his NT box. This type of setup allows someone from the Internet to use Bobs machine as a gateway router to the corporate LAN. This effectively bypasses any type of firewall or proxy the company might have set up to prevent Internet access to the internal network. Weve heard stories of software developers who have set up their systems this way so that they could work from home, dialed into the corporate LAN, and surfed the Internet using their own ISP. When it was discovered that they were doing this, their employment was terminated.

10.4.2 Restrict What VPN Users Can Get To

On large corporate LANs, network administrators often create several network segments separated by routers, which can limit network traffic to certain segments and provide firewall capabilities. For instance, theres no need for anyone in the manufacturing division to reach the human resources payroll server—whether they have a password or not. Likewise, you can use internal routers and firewalls to limit where the VPN users can go. If the resources are available to you, we highly recommend doing this. Since VPN routers or servers are often open to the outside, its the most vulnerable point on your network, and it makes sense to curb access as much as possible. You can start by limiting general access only to servers that VPN users would need most, such as email servers and a few application servers. Here are some examples of information you might never want accessible from a VPN user or remote access user: • Security and encryption information, such as RSA private keys and SSL certificates • Username and password information • Top-secret research and development information • Payroll information • Private information on employees, including psychological or health information • Any information your customers have entrusted you to keep private for instance, if youre a hospital, then youll want to keep medical records extremely secure 166 You can then grant further access on a case-by-case basis. Software engineers will need to get to development servers, for instance. The ideal thing to do in this case would be to set up multiple VPN servers—one for each department—and limit who can use them.

10.4.3 Avoid Public DNS Information for VPN Servers and Routers

Since your VPN server will be an accessible entry point to your network, its better not to let attackers know what it is or what it does. The simplest thing to do is not assign a DNS hostname to your VPN server at all. If you must assign one for internal use, for instance, look into setting up a fake DNS server with meaningless information thats accessible to the greater Internet, while you have a server with specific information to use inside your LAN. [1] At any rate, dont let the outside world see a meaningful name for your VPN server, such as avtunnel.caffeine.net, pptp-gw.caffeine.net, or even win-nt.caffeine.net. Any one of these tells an attacker what type of system it is, and what vulnerabilities can be exploited. Thats why many network administrators will follow some theme, such as Dr. Seuss characters, when naming hosts. Its a good way to give meaningless yet easy to remember names to systems— not just an attempt to be cute. We recommend you set up an alternate DNS server for internal use anyway; this way you can give all servers more meaningful names for Intranet users.

10.5 Keeping Yourself Up-to-Date

Its a good idea to keep your VPN up-to-date, but dont be in a rush to upgrade just because youre looking for a new feature or two. New software is notorious for introducing as many problems as it patches. Here are the primary reasons to upgrade your VPN software: • Theres a security hole in the product you currently use. • Theres a bug that causes system problems such as crashes, memory leaks, or networking problems. • The current version isnt compatible with another product on your network, or a product that the remote users have, and the new version improves interoperability. • The new version has several features essential to the operation of your VPN. Finding information on VPNs is currently like trying to stargaze in the middle of Las Vegas— theres a lot of marketing hype out there, but practical information tends to get washed out. Nonetheless, weve compiled into Appendix B a short list of things to keep up with in the world of VPNs. 1 A discussion of how to set up a fake DNS host can be found in Building Internet Firewalls, by D. Brent Chapman and Elizabeth D. Zwicky OReilly Associates.