Vpn Planning; Key Distribution - D-Link DFL-1660 User Manual

9.1.3. VPN Planning

VPNs are normally only concerned with confidentiality and authentication. Non-repudiation is
normally not handled at the network level but rather is usually done at a higher, transaction level.
9.1.3. VPN Planning
An attacker targeting a VPN connection will typically not attempt to crack the VPN encryption
since this requires enormous effort. They will, instead, see VPN traffic as an indication that there is
something worth targeting at the other end of the connection. Typically, mobile clients and branch
offices are far more attractive targets than the main corporate network. Once inside those, getting to
the corporate network then becomes easier.
In designing a VPN there are many issues that need to be addressed which aren't always obvious.
These include:
• Protecting mobile and home computers.
• Restricting access through the VPN to needed services only, since mobile computers are
vulnerable.
• Creating DMZs for services that need to be shared with other companies through VPNs.
• Adapting VPN access policies for different groups of users.
• Creating key distribution policies.
Endpoint Security
A common misconception is that VPN-connections are equivalents to the internal network from a
security standpoint and that they can be connected directly to it with no further precautions. It is
important to remember that although the VPN-connection itself may be secure, the total level of
security is only as high as the security of the tunnel endpoints.
It is becoming increasingly common for users on the move to connect directly to their company's
network via VPN from their laptops. However, the laptop itself is often not protected. In other
words, an intruder can gain access to the protected network through an unprotected laptop and
already-opened VPN connections.
Placement in a DMZ
A VPN connection should never be regarded as an integral part of a protected network. The VPN
firewall should instead be located in a special DMZ or outside a firewall dedicated to this task. By
doing this, the administrator can restrict which services can be accessed via the VPN and ensure that
these services are well protected against intruders.
In instances where the firewall features an integrated VPN feature, it is usually possible to dictate
the types of communication permitted and NetDefendOS VPN has this feature.

9.1.4. Key Distribution

Key distribution schemes are best planned in advance. Issues that need to be addressed include:
• How will keys be distributed? Email is not a good solution. Phone conversations might be
secure enough.
• How many different keys should be used? One key per user? One per group of users? One per
LAN-to-LAN connection? One key for all users and one key for all LAN-to-LAN connections?
side-effect of authentication.
417
Chapter 9. VPN