VPN and dial-in connections provide a means to extend your corporate network to remote users and locations, allowing those remote users and locations to access your corporate resources as if they were local. With this access comes the need to harden these connections to ensure that you maintain the desired level of security on your infrastructure while providing the kind of functionality required by your users and business.
If you are providing VPN connectivity, you should use IPsec for your VPN connection protocol. If you require multiprotocol support, you should use L2TP tunneled within IPsec to provide connectivity. You should not use PPTP.
In providing IPsec VPN connections, you should use the most secure protocols and authentication methods available. Do not use AH as a traffic security protocol due to the fact that it does not encrypt the data. Instead, implement ESP to ensure that the data is encrypted as it is transmitted. For your encryption protocol, you should not use DES but rather should use 3DES or any of the AES encryption protocols. Message integrity should be provided by SHA-1 instead of MD5 because SHA-1 uses a large bitkey and therefore is more secure than MD5. Finally, make sure you authenticate all your connections via the use of pre-shared keys or RSA digital signatures to ensure that only authenticated peers can connect to your network.
Your VPN devices should also be hardened against threats to the devices themselves . You should only allow secure protocols for remote administration, such as SSH and HTTPS. Only authorized users should be able to connect to and manage a device, and these users should not use common passwords. Instead, they should use individual local accounts or RADIUS or TACACS+ to be authenticated and authorized. Any unnecessary services and protocols should be disabled or filtered from the device, providing the minimum required services and protocols. If all you support are IPsec VPN connections, you should disable PPTP and L2TP as unnecessary services. You should also implement redundant devices to address hardware failure scenarios, ensuring that your users obtain the maximum uptime as required by your environment. Finally, ensure that you only support authenticated routing updates with your routing protocols.
Instead of providing dedicated dial-in access, you should implement a global Internet dialer and use VPN connections to provide remote user access. If, however, you are required to provide dial-in access, ensure that all connections are authenticated and that your dial-in access is centralized and managed to make it easier to control and filter that external traffic. Where possible, implement callback against authenticated users to ensure that the connection attempt is coming from an authorized location.
Although providing remote access can invite a multitude of security problems in your environment, if it s done properly, you can ensure that your security posture is fundamentally unchanged after providing the kind of functionality your users and company require.