What are some features to look for in software IPsec clients?
In general, look for things that make it easy to manage the large installed base you might have. This includes automatic update of configuration and potentially automated changes to the software version. In addition, some IPsec clients come bundled with basic host firewalls that can be managed using the same management channels as the IPsec configuration. Usually multiplatform support is also critical, as is the ability for the system to work with minimal initial configuration. Ideally, users should have only to point their IPsec clients to the VPN gateway's hostname and be done. In reality, measures such as preshared keys often must be provisioned in advance (or digital certificates, if you choose that route).
What are some features to look for in hardware IPsec clients?
The same management issues that exist in software exist in hardware. Additional features to look for include QoS support, full-featured firewall, limited IDS functionality, and some ability to audit the security of the local site. This final feature could take the form of rogue device detection or some kind of host security audit or scanning.
Are there any physical security issues associated with hardware VPN devices in general?
The main concern is that, if a device is stolen or compromised, the keying material might be compromised as well. This could allow an attacker to connect a rogue hardware VPN device while leaving the compromised device functioning as usual. As discussed in the chapter, digital certificates should be used if you do not require authentication to the hardware VPN device prior to connection establishment. In addition, management passwords should be protected using the same mechanism discussed in Chapter 6. This mechanism is not yet available on all devices, but it protects against the recovery of the password if an attacker has local access to the device.
Are all the host security protections recommended in the "Network Design Considerations" section required if you should provide mobile users with only traditional dial-up access direct to your organization?
If you could ensure that your users would never access the Internet through some other means (802.11, Ethernet) and that their portable computers would never be stolen, you might be able to avoid these controls. Unfortunately, users with mobile systems often want to take advantage of WLAN access in airports or hotels, if not to access your organization, merely to browse the Web. As such, you probably need a minimum set of protections such as OS/application hardening, host AV, and file system crypto (for critical systems).
Based on your understanding of this chapter, which teleworker design is most appropriate for your organization?
Do you anticipate the need for some hardware access if you think that the software design is most appropriate?
Look back over the teleworker-tuned threats in Table 15-1. Find at least one place where you disagree with my selections. Would it change anything about the teleworker design you might use?
Part I. Network Security Foundations
Network Security Axioms
Security Policy and Operations Life Cycle
Secure Networking Threats
Network Security Technologies
Part II. Designing Secure Networks
General Design Considerations
Network Security Platform Options and Best Deployment Practices
Common Application Design Considerations
Identity Design Considerations
IPsec VPN Design Considerations
Supporting-Technology Design Considerations
Designing Your Security System
Part III. Secure Network Designs
Edge Security Design
Campus Security Design
Teleworker Security Design
Part IV. Network Management, Case Studies, and Conclusions
Secure Network Management and Network Security Management
Appendix A. Glossary of Terms
Appendix B. Answers to Applied Knowledge Questions
Appendix C. Sample Security Policies
INFOSEC Acceptable Use Policy
Guidelines on Antivirus Process