VPN Best Practices

VPN is quite self-explanatory as it relates to the security appliance deployment in Chapter 11, "Deploying VPNs." You could address a few minor points to increase your security posture.

Clients that come in as VPN connections should be a great concern for you as an administrator. These clients have generally been in many insecure environments that attract viruses, worms, Trojans, adware, and spyware. An average PC, connected to a large Internet service provider (ISP) without a firewall or host intrusion prevention, will likely be infected in less then 30 minutes.

Here's a list of environments where malicious code is easily picked up, many times without any indication to the user:

• Home PC with the kids downloading games

• Home PC with no perimeter protection

• Home PC with no firewall protection

• Home PC with outdated or no antivirus protection

• Home PC with everyday browsing

• Laptop in wireless hotspots such as airports, coffee shops, and Internet cafés

Almost every VPN client that logs on to your firewall will fall into one, some, or all these categories. Each category is dangerous from a security perspective. The bottom line is that VPN clients need to be looked at as insecure machines, not because the users can't be trusted but rather because they have been exposed to many different Internet dangers. A best practice that should be taken seriously is to ensure that these PCs have a policy enforced that says they cannot log on to a system unless they are running a personal firewall and host intrusion prevention software. This is referred to as "are you there" (AYT) functionality. The Cisco VPN client can currently enforce firewall AYT policy and, in early 2005, will support AYT functionality for the Cisco Security Agent. It is in your best interest to deploy this technology to protect your company and its network assets.

NOTE

AYT technology ensures that the security posture of a PC is adequate before letting the PC on your network. Another technology that enforces this technology and is cost free (if you have Cisco networking gear) is called Network Admission Control (NAC). To find out more about NAC, refer to http://www.cisco.com/go/nac.

You also need to keep careful control over VPN secret keys. Visualize the scenario in which you give the same secret key to every employee in the company for VPN access and one of the employees gets fired. Of course, the first thing you do is take the fired employee's username and password out of the database. However, because the ex-employee's PC still has the secret key, and the viable fact that he probably knows usernames of other people in the company, it might not be too difficult for the ex-employee to use someone else's username and launch a brute-force password attack against your VPN deployment. You can mitigate this risk in a few ways:

• Have a plan and process in place to change and distribute VPN preshared keys at frequent intervals, or change the key when someone is terminated.

• Force frequent password changes.

• Use the feature AAA, which will disable an account after a certain number of log failures.

• Watch your login failure logs. If you find many failures for one user, that might represent a brute-force password attack, and you would want to disable that user and issue a new username to him.

Another best practice to deploy with VPN is keepalives. You can use keepalives to try to determine whether a remote client is still active, and you can use keepalives to tear down a connection if it's determined that the client is no longer active. Keepalives are on by default in the ASA/PIX Security Appliance VPN deployment. You can modify or view the settings by navigating to Configuration > Features > VPN General > Tunnel Group > IPSec.