164 priority of your VPN traffic, while lowering the priority of traffic that is not necessarily business oriented, such as PointCast, NNTP, or access to certain URLs. The Resource Reservation Protocol RSVP is a proposed Internet QoS standard that can be used to manage IP traffic. It is already available on some routing and VPN equipment, and some operating systems. In addition, there are a number of bandwidth management products available from vendors such as Packeteer and Check Point.

10.4 Security Suggestions

Our primary security suggestion is to make the VPN the only entry point to your network from the Internet. That is, make sure all of your systems are blocked or otherwise inaccessible from the Internet unless outside users connect to it via a VPN. Chapter 2 describes the use of firewalls to do this, and the subsequent implementation chapters go into more detail.

10.4.1 Restrict Who Has VPN Access

Its not a good idea to give out VPN access to just anyone. If your organization is undergoing constant change, or you are running a virtual corporation where everybody works from home, you may find it difficult to limit the users who have access. You may want to only allow people who really need remote access to have it. Here are some examples of people who might need remote VPN access: • Traveling sales or marketing people who need access to email and files. • Employees who work from home, or who need access to network servers after hours. Examples might be software developers, testers, documentation writers, or managers. Unless someone is permanently working from home or has a constant need for such access, it might be a good idea to grant them access only while they need the account, such as when theyre ill or unable to come into work. For example, an employee who breaks her leg badly and has to stay at home for several months might still be able to dial in and work. • Network or systems administrators. We also suggest that you create an acceptable-use policy governing your VPN accounts, which you should distribute to anyone with VPN access. Here are some suggested guidelines: • The VPN account is not a generic Internet account that an employee can use for anything he or she wants. Its virtually an extension of the corporations own network and the account the user has on the corporate system, even though it might go through an ISP. The user shouldnt give the account information to kids, relatives, friends, or even fellow employees. • The user shouldnt be routing a multi-homed connection to the VPN and another ISP. See the sidebar for an example of why. • The user should direct all technical support problems regarding the VPN to the network administrator rather than directly to the ISP involved. If needed, the network administrator can contact the ISP. There should be no reason for the user to give his or her password or the internal network domain to the ISP. • VPN users should change their passwords more often than other users of the internal network domain. They should also be sure to choose meaningless passwords, possibly 165 containing nonalphanumeric characters, that cant be easily guessed. Examples: xf3Kr or batCORE. • Finally, when employees leave, remember to take away their VPN access just as you do their accounts on the local system. Even though tracking them should be easy if they attempt to use it, they could still cause enough havoc and confusion to make life miserable for the rest of the employees—not to mention that VPN access makes it easier for them to leave with trade secrets or software licensed to your company. Why You Shouldnt Route a Multi-Homed Connection Between a Corporate VPN and Another ISP The second item of our acceptable use policy for VPNs mentions not allowing users to multi-home between the corporate VPN and another ISP. Heres an example of why they shouldnt: Bob the software engineer has two ISDN boards in his Windows NT system, one of which he uses to call his favorite ISP, the other he uses to connect to his offices VPN. Each ISDN interface has a separate IP address: one from the ISP, the other for the corporate network. Bob also has routing IP forwarding enabled on his NT box. This type of setup allows someone from the Internet to use Bobs machine as a gateway router to the corporate LAN. This effectively bypasses any type of firewall or proxy the company might have set up to prevent Internet access to the internal network. Weve heard stories of software developers who have set up their systems this way so that they could work from home, dialed into the corporate LAN, and surfed the Internet using their own ISP. When it was discovered that they were doing this, their employment was terminated.

10.4.2 Restrict What VPN Users Can Get To

On large corporate LANs, network administrators often create several network segments separated by routers, which can limit network traffic to certain segments and provide firewall capabilities. For instance, theres no need for anyone in the manufacturing division to reach the human resources payroll server—whether they have a password or not. Likewise, you can use internal routers and firewalls to limit where the VPN users can go. If the resources are available to you, we highly recommend doing this. Since VPN routers or servers are often open to the outside, its the most vulnerable point on your network, and it makes sense to curb access as much as possible. You can start by limiting general access only to servers that VPN users would need most, such as email servers and a few application servers. Here are some examples of information you might never want accessible from a VPN user or remote access user: • Security and encryption information, such as RSA private keys and SSL certificates • Username and password information • Top-secret research and development information • Payroll information • Private information on employees, including psychological or health information • Any information your customers have entrusted you to keep private for instance, if youre a hospital, then youll want to keep medical records extremely secure