Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
12345678910
Using VPNs for Remote Access with Preshared Keys
133
While this type of preshared key is the most secure of the three types, it is not practical for
remote access applications, where users are typically connecting through a commercial Internet
service provider (ISP). Most users are not willing to pay for the luxury of a permanently
assigned IP address from their ISP and are assigned an IP address from an available pool of
addresses when they connect to the service. If you had a large installed base of VPN users,
keeping up with these dynamically assigned IP addresses to provide this level of security would
be a maintenance nightmare.
Group Preshared Keys
If you begin using unique preshared keys, at some point you can decide to just use the same
password for discrete groups of users. If you decide to do that, and shed the association with
the IP address, you have begun to use the next type of preshared key, the group preshared key.
A group preshared key is simply a shared key that is associated with a specific group. In a VPN
3000 Concentrator configuration, the group can be the Base Group or any other group that you
define.
A group preshared key is well suited for remote access VPNs and is the method used by Cisco
VPN 3000 Concentrators. It is good practice to use groups to establish Internet Key Exchange
(IKE) and IPSec settings and to provide other capabilities that are unique to a specific set of
users. If you choose to use the Cisco VPN 3000 Concentrator’s internal database for user
authentication, you can assign your users to specific groups, making the process of managing
preshared keys much easier.
Wildcard Preshared Keys
The final type of preshared key classification is the wildcard preshared key. This type of key
does not have an IP address or group assigned to it and can be used by any device holding
the key to establish an IPSec connection with your VPN concentrator. When you set up your
concentrator to use wildcard preshared keys, every device connecting to the concentrator must
also use preshared keys. If any device is compromised, you must change the key for all the
devices in your network. This type of key is also open to man-in-the-middle attacks and should
not be used for site-to-site applications.
NOTE
Man-in-the-middle attacks happen when an intruder has access to data packets that are in transit
between connection endpoints. The intruder can then modify information within the packets in
an attempt to gain access to the endpoints or for some other nefarious purpose. The intruder
might just extract information from the packets. Obtaining a wildcard preshared key this way
would permit an attacker to establish a VPN connection to the host from any other system.
chpt_04.fm Page 133 Friday, April 4, 2003 9:19 AM