What are some features to look for in software IPsec clients?

In general, look for things that make it easy to manage the large installed base you might have. This includes automatic update of configuration and potentially automated changes to the software version. In addition, some IPsec clients come bundled with basic host firewalls that can be managed using the same management channels as the IPsec configuration. Usually multiplatform support is also critical, as is the ability for the system to work with minimal initial configuration. Ideally, users should have only to point their IPsec clients to the VPN gateway's hostname and be done. In reality, measures such as preshared keys often must be provisioned in advance (or digital certificates, if you choose that route).

What are some features to look for in hardware IPsec clients?

The same management issues that exist in software exist in hardware. Additional features to look for include QoS support, full-featured firewall, limited IDS functionality, and some ability to audit the security of the local site. This final feature could take the form of rogue device detection or some kind of host security audit or scanning.

Are there any physical security issues associated with hardware VPN devices in general?

The main concern is that, if a device is stolen or compromised, the keying material might be compromised as well. This could allow an attacker to connect a rogue hardware VPN device while leaving the compromised device functioning as usual. As discussed in the chapter, digital certificates should be used if you do not require authentication to the hardware VPN device prior to connection establishment. In addition, management passwords should be protected using the same mechanism discussed in Chapter 6. This mechanism is not yet available on all devices, but it protects against the recovery of the password if an attacker has local access to the device.

Are all the host security protections recommended in the "Network Design Considerations" section required if you should provide mobile users with only traditional dial-up access direct to your organization?

If you could ensure that your users would never access the Internet through some other means (802.11, Ethernet) and that their portable computers would never be stolen, you might be able to avoid these controls. Unfortunately, users with mobile systems often want to take advantage of WLAN access in airports or hotels, if not to access your organization, merely to browse the Web. As such, you probably need a minimum set of protections such as OS/application hardening, host AV, and file system crypto (for critical systems).

Based on your understanding of this chapter, which teleworker design is most appropriate for your organization?

Do you anticipate the need for some hardware access if you think that the software design is most appropriate?

Look back over the teleworker-tuned threats in Table 15-1. Find at least one place where you disagree with my selections. Would it change anything about the teleworker design you might use?