IPSEC Question - technology doubt

Unanswered Question
Apr 26th, 2010

Hello,

I have deployed some configurations for VPN connectivity using L2TP and sometimes PPTP, however since both protocols are not designed with security in mind we usually place them over IPSEC to ensure data confidentiality. I searched online for examples but must implementations I found define a PSK for IPSEC and them (for example) integrate the authorization process with Active Directory using the person's username/password.

Using an username/password is something very easy intuitive for a common user, however confidentiality is only ensured by the PSK, isn't this a bad choice when we have to design a scenario where there are hundreds of different users connection to the VPN in a Roadwarrior style? Basically everyone's has to know the PSK compromising the confidentiality between them.

Are there any solutions for this kind of scenarios?

Using x.509 might be a solution I think, however I would much rather use an username/password than having to deploy certificates to every single user, and teach them how to use them.

This isn't a very CISCO related question, however the scenario I'm going to implement will be with Cisco routers acting has VPN concentrators.


Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 04/26/2010 - 18:48

Hi,

IPsec technology in IOS or Cisco devices allows for two methods of peer authentication.

The two methods are PSK and PKI.

Relying on PSK is very easy but not scalable.

For large VPN scenarios the recommendation is PKI.

The previous two methods are for peer (or device) authentication, then to authenticate a user you have several options, for example relying simply on a user/pass database or using additional security like tokens or OTPs.

The pre-shared keys can be used as wildcards so it is easy to manage them in large enterprises, but not a recommended solution due to security reasons.

I think that you should consider managing pre-shared keys against deploying a PKI scenario.

For digital certificates, you can use a third-party entity or have an in-house CA which you can administer (ASA or IOS could serve as CA authority for some scenarios).

So, for large environments the recommendation is PKI, unless you want to stick with PSKs.

For user authentication, you can consider other security factors like mutual-authentication (far more secure than a single user/pass).

Hope to help.

Federico.

nibauramos Tue, 04/27/2010 - 03:20

Hello, thank you for your answer, I will investigate the configuration with a PKI cenario.

Actions

This Discussion