|
|
"safe" IPSec configurations for network admins
Network admins beware: If you are allowing access to your network using IPSec then you should make sure you understand the risks associated with any configuration you enable. IKE typically has two well-supported ways of negotiating a phase-1 security association: certificates and preshared keys. The rub is that both ends of the connection must use the same mechanism. I.e. the server can't present a cert while the client presents a PSK. Since the phase-1 SA always happens first and is used to protect the rest of the session, it is important to understand that:
This means that in the PSK-case, anyone with knowledge of the PSK (it can be cracked, ex or other rogue employees have it, anyone who can download your vpn client config or anyone who has had temporary access to a machine with your VPN information configured has it, etc.) and who is capable of intercepting traffic between a vpn user and your vpn concentrator (coffee shop|home|hotel wifi, FakeIKEd, etc...) can steal the user's credentials and make their own connection to your network using them. AFAIK, there are three well-supported ways to use IPSec to do client-termination "safely":
I don't have the cycles at the moment, but I'd love to see someone document the above three "safe" configurations for both the windows native client (potentially both with and without the CMAK), the OSX native client, the Cisco client, Cisco concentrators, ipsec-tools+l2tpd-base concentrators, openswan, etc.. Does this already exist somewhere? Cheers! |
SearchFrom our Sponsor...Latest Mountain Lion HintsWhat's New:HintsNo new hintsComments last 2 daysLinks last 2 weeksNo recent new linksWhat's New in the Forums?
Hints by TopicNews from Macworld
From Our Sponsors |
|
Copyright © 2014 IDG Consumer & SMB (Privacy Policy) Contact Us All trademarks and copyrights on this page are owned by their respective owners. |
Visit other IDG sites: |
|
|
|
Created this page in 0.17 seconds |
|