Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
151152153154155156157158159160
3-41
Designing Access Controls
Make Decisions about Remote Access (VPN)
First, you need to consider how remote users will authenticate. Digital certif-
icates provide the greatest security. Passwords (preshared keys) open a
couple of vulnerabilities:
Hackers can attempt to collect the passwords.
IKE addresses this vulnerability by sending the password (preshared key)
over a secure tunnel (IKE SA). PPTP with MS-CHAPv2, which also authen-
ticates users with passwords, is less secure.
With IKE, all users enter the same password (preshared key).
If even one user leaks the password (or leaves it written in an insecure
location), the privacy of your network is compromised.
However, PPTP allows users to authenticate to a RADIUS server with their
individual usernames and passwords as does IKE’s extended authentica-
tion (Xauth).
In addition to ensuring that only legitimate, remote users log in to your private
network, you must protect the privacy of the data that these users access. Your
next consideration is the security of the encryption algorithm. If you are using
IPsec, Authentication Header (AH) does not provide encryption; you should
select Encapsulating Security Payload (ESP) or, for even more security, ESP
and AH. For the encryption algorithm itself, if possible, use AES encryption
or at least 3DES. Although DES and PPTP’s MPPE offer a degree of security,
they are subject to some attacks. PPTP, in particular, has evinced some flaws.
Example
When factoring in only security for the VPN, the PCU network administrators
have selected the options shown in Table 3-26.
Table 3-26. Selecting VPN Options Based on Security Needs
Factor VPN Protocol Authentication
Method
Encryption Client Gateway
Security IPsec with IKE or
L2TP/IPsec
Digital certificates ESP with AES and
AH with SHA1
Any Any