Re: VPN 3002 Security

mmelbourne · ‎10-08-2002

We are considering deploying VPN3002 devices to remote sites, to connect to the corporate network over Cable/DSL ISP connections. However, if the device is stolen it could be connected to any ISP (as DHCP is configured on the public interface) and then connect into our internal network. In some cases, it may be possible to use "Interactive Client Authentication" with a RSA SecurID token (as we do for dial-in and software VPN clients), but this would be impractical for some sites. Another option could be to obtain a static IP address for the public interface. We use CiscoSecure ACS for back-end authentication, but ACS just contains the static username/password as configured on the VPN3002 hardware client.

Can CSACS be set up only allow connections from VPN hardware clients with specific public IP addresses (given that the authentication request comes from the VPN Concentrator; not the VPN 3002 hardware client)?

gfullage · ‎10-08-2002

No, ACS can't do this because as you mentioned, the auth request comes from the head-end 30xx, not the remote 3002.

The easiest thing to do is if the 3002 is stolen, simply remove the username/password that this box was configured to use from your ACS server, that way it'll never be able to bring up a tunnel.

travis-dennis_2 · ‎10-09-2002

An interesting question and from the network admin side I think the concern would be "What damage can be done before it is noticed that the box is gone?" Could xauth be used in some fashion to where the box may create a tunnel but no network resources could be accesed w/o proper credentials?

r.nair · ‎10-09-2002

A very interesting question. I agree that the concern should be "What damage can be done before it is noticed that the box is gone?"

It is posssible to configure XAuth where each machine has to be authenticated before any network resources could be accessed. So without proper credentials no one would be able to access the network resources.

rgarron · ‎10-10-2002

Since the 3.5 release of the 3002 - you can use the Unit Authentication feature. This feature is enabled on the VPN3000 concentrator side. Anyone who does not have the password to Authenticate the Unit cannot/will not be able to complete a Tunnel to the Headend. Even if you have Split Tunneling enabled - you will not be able to access the internet (sites in the clear) through the 3002 without first Authenticating the Unit. Unit Authentication uses Internal, Radius, NT & SecureID for Authentication types.

In conclusion - If unit authentication is enabled and someone steals your 3002 - they can't really use the box for much of anything...

mmelbourne · ‎10-10-2002

I agree, the use of Unit Authentication coupled with token-based login would provide adequate security against the VPN3002 being stolen and would probably be adequate for a homeworker network.

However, if these are to replace ISDN routers (for example) to offer increased bandwidth, then for a site-wide network, user authentication is impractical. The same could be said of ISDN routers if they are stolen, but we do use CLI at the head-end to screen the calls.

r.nair · ‎10-10-2002

Why not use Username/Password (NT Domain or Active Directory) authentication here for individual user authentication. In any case users will have accounts in them and ACS server can be configured to use the above databases.

Of course the Domain Controllers will have to be audited to look for failed logon attempts.