Wednesday, March 14, 2012

SAFE VPN Axioms

SAFE VPN Axioms
The following axioms represent overarching design considerations that affect nearly every design within SAFE VPN. They
are included at the beginning of this document to limit the amount of redundancy in the rest of the paper. SAFE VPN assumes
conformance with the security axioms in the original SAFE white paper. However, in comparison to prior SAFE security
papers, this document relies more heavily on the axiom section of the document. Although VPN design differs greatly with
the size of enterprises, the underlying best practices remain virtually the same. Therefore, the design discussions are
somewhat similar. In the axioms, it is assumed that the users and sites are members of your enterprise and in your domain
of control; a separate design discusses the security implications of extranets. After reading the VPN axioms it is the authors'
intent that you would come to the same design conclusions that the authors did in the document.Cisco Systems

Identity and IPSec Access Control
In site-to-site and remote-access VPNs today, it is important that devices are identified in a secure and manageable way. In
remote-access VPNs, user authentication as well as device authentication occurs. When the remote device is authenticated,
some level of access control needs to be in place to permit only the traffic over the tunnel that should be there.
Device authentication uses either a preshared key or digital certificate to provide the identity of a device. There are three types
of preshared keys: wildcard, group, and unique. Unique preshared keys are tied to a specific IP address. Group preshared
keys are tied to a group name identity; these are applicable only to remote access today. Wildcard preshared keys are not
associated with any factor unique information to determine a peer's identity. Any device that has the key may successfully
authenticate. Therefore, wildcard preshared keys should not be used for site-to-site device authentication. The authors feel
doing so is asking for trouble. When using wildcard preshared keys, every device in the network uses the same key. If a single
device in your network is compromised and the wildcard preshared key has been determined, all the devices are then
compromised. Compromised pre-shared keys are also susceptible to man-in-the-middle attacks. With the key, a hacker can
connect to any device in your network allowed by the remote-site access policy. Dynamic cryptographic maps facilitate this
hacking by accepting Internet-Key-Exchange (IKE) requests from any IP address. At an absolute minimum, you should
consider using a unique preshared key between two devices. However, obviously this setup would not scale in large networks.
Depending on how strong the preshared keys are and how often they are changed, they may not provide strong device
authentication.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.