Key Distribution - D-Link DFL-1600 User Manual

210
If the above requirements cannot be met, for instance, in cases where
the home computer belongs to the employee, then do not grant VPN
access.
End Point Security for Partners and other Companies
This subject is usually far more sensitive than securing computers that are
actually owned by the company. In cases where management has dictated
that a VPN should be established with a partner, subsidiary, or
subcontractor that has far more lax security policies, it can become a real
nightmare for the IT staff.
It is far from uncommon for a motivated intruder to research companies
likely to have connections to his/her target, virtual or otherwise. Should
the target's security be too high, it may prove to be far more fruitful to
probe other locations that may be used to launch an attack around the
primary defense perimeters.
In cases where the security of the remote network cannot be guaranteed,
technically and/or physically, it may be a good idea to move shared
resources to servers in a separate DMZ and grant remote access only to
those servers.
21.1.2

Key Distribution

Plan your key distribution schemes ahead of time. Issues that need to
addressed include:
By what means to distribute the keys ? Email is not a good idea.
Phone conversations might be secure enough. This depends on your
local security policy.
How many different keys should be used? One key per user? One key
per group of users? One key per LAN-to-LAN connection? One key
for all users and one key for all LAN-to-LAN connections? You are
probably better off using more keys than you think necessary today,
since it becomes easier to adjust access per user (group) in the future.
Should the keys be changed? If so, how often? In cases where keys
are shared by multiple users, you may want to consider overlapping
schemes, so that the old keys work for a short period of time when
new keys have been issued.
D-Link Firewalls User's Guide
Chapter 21. VPN Planning