Centralized Management

Another item that you might have noticed was the emphasis on centralized (headend) management of the remote devices and the tunnel configurations. An IPSec tunnel depends on matching authentication during the IKE phases (to include using the same preshared key or validating certificates) and then being able to match IPSec configuration criteria, such as the encryption and authentication algorithms, choice of the same traffic to encrypt, and so on.

Putting things bluntly, if IT finds it difficult to trust users to handle the Windows Update function, it is overwhelmingly likely that it does not want to handle a help-desk call trying to troubleshoot what changed in the tunnel parameters. ("I didn't change anything! I swear, it just stopped working!") Whether the tunnel termination is the VPN software client, the VPN hardware client, the firewall, or the router, whenever possible, the SAFE Blueprints assume centralized management of all tunnel-configuration parameters.

Besides reducing the headache level, another reason for centralized management has to do with handling things when a tunnel authentication must be revoked . If a laptop is lost or stolen, if an employee is terminated for copying the firewall parameters (more on how that was addressed and corrected comes later), or for any other reason, when a previously valid tunnel can no longer be accepted, it is easier to manage that from the headend than to try to talk a remote user through the changes to make in the local configuration.

If certificates are being used, it is as simple as adding the certificate to the Certificate Revocation List (CRL), which should be checked before any certificate is accepted as valid. If a preshared key has been compromised, it is fasterand more secureto immediately establish a tunnel to the remote device and modify the configuration, clear the SAs, and re-establish a new connection under the new key.



CSI Exam Cram 2 (Exam 642-541)
CCSP CSI Exam Cram 2 (Exam Cram 642-541)
ISBN: 0789730243
EAN: 2147483647
Year: 2002
Pages: 177
Authors: Annlee Hines

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net