Delivering Quality of Service
10.4 Security Suggestions
Our primary security suggestion is to make the VPN the only entry point to your network from the Internet. That is, make sure all of your systems are blocked or otherwise inaccessible from the Internet unless outside users connect to it via a VPN. Chapter 2 describes the use of firewalls to do this, and the subsequent implementation chapters go into more detail.10.4.1 Restrict Who Has VPN Access
Its not a good idea to give out VPN access to just anyone. If your organization is undergoing constant change, or you are running a virtual corporation where everybody works from home, you may find it difficult to limit the users who have access. You may want to only allow people who really need remote access to have it. Here are some examples of people who might need remote VPN access: • Traveling sales or marketing people who need access to email and files. • Employees who work from home, or who need access to network servers after hours. Examples might be software developers, testers, documentation writers, or managers. Unless someone is permanently working from home or has a constant need for such access, it might be a good idea to grant them access only while they need the account, such as when theyre ill or unable to come into work. For example, an employee who breaks her leg badly and has to stay at home for several months might still be able to dial in and work. • Network or systems administrators. We also suggest that you create an acceptable-use policy governing your VPN accounts, which you should distribute to anyone with VPN access. Here are some suggested guidelines: • The VPN account is not a generic Internet account that an employee can use for anything he or she wants. Its virtually an extension of the corporations own network and the account the user has on the corporate system, even though it might go through an ISP. The user shouldnt give the account information to kids, relatives, friends, or even fellow employees. • The user shouldnt be routing a multi-homed connection to the VPN and another ISP. See the sidebar for an example of why. • The user should direct all technical support problems regarding the VPN to the network administrator rather than directly to the ISP involved. If needed, the network administrator can contact the ISP. There should be no reason for the user to give his or her password or the internal network domain to the ISP. • VPN users should change their passwords more often than other users of the internal network domain. They should also be sure to choose meaningless passwords, possibly 165 containing nonalphanumeric characters, that cant be easily guessed. Examples: xf3Kr or batCORE. • Finally, when employees leave, remember to take away their VPN access just as you do their accounts on the local system. Even though tracking them should be easy if they attempt to use it, they could still cause enough havoc and confusion to make life miserable for the rest of the employees—not to mention that VPN access makes it easier for them to leave with trade secrets or software licensed to your company. Why You Shouldnt Route a Multi-Homed Connection Between a Corporate VPN and Another ISP The second item of our acceptable use policy for VPNs mentions not allowing users to multi-home between the corporate VPN and another ISP. Heres an example of why they shouldnt: Bob the software engineer has two ISDN boards in his Windows NT system, one of which he uses to call his favorite ISP, the other he uses to connect to his offices VPN. Each ISDN interface has a separate IP address: one from the ISP, the other for the corporate network. Bob also has routing IP forwarding enabled on his NT box. This type of setup allows someone from the Internet to use Bobs machine as a gateway router to the corporate LAN. This effectively bypasses any type of firewall or proxy the company might have set up to prevent Internet access to the internal network. Weve heard stories of software developers who have set up their systems this way so that they could work from home, dialed into the corporate LAN, and surfed the Internet using their own ISP. When it was discovered that they were doing this, their employment was terminated.10.4.2 Restrict What VPN Users Can Get To
On large corporate LANs, network administrators often create several network segments separated by routers, which can limit network traffic to certain segments and provide firewall capabilities. For instance, theres no need for anyone in the manufacturing division to reach the human resources payroll server—whether they have a password or not. Likewise, you can use internal routers and firewalls to limit where the VPN users can go. If the resources are available to you, we highly recommend doing this. Since VPN routers or servers are often open to the outside, its the most vulnerable point on your network, and it makes sense to curb access as much as possible. You can start by limiting general access only to servers that VPN users would need most, such as email servers and a few application servers. Here are some examples of information you might never want accessible from a VPN user or remote access user: • Security and encryption information, such as RSA private keys and SSL certificates • Username and password information • Top-secret research and development information • Payroll information • Private information on employees, including psychological or health information • Any information your customers have entrusted you to keep private for instance, if youre a hospital, then youll want to keep medical records extremely secureParts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more