A primary element of a VPN is its method of user authentication. You can use either shared keys or digital certificates to authenticate VPN users. Shared secrets are passwords that must be provided to users. They offer an easy way to quickly set up VPNs to a small number of remote employees, although large numbers of passwords are difficult to manage. To maintain as much security as possible using this method:
Users should choose strong passwords.
Passwords should be aged quickly.
Users should be locked out after three failed login attempts.
When using RUVPN with PPTP or MUVPN, it is especially important to use strong passwords. Compromising the security of VPN endpoints could jeopardize the security of the main network. If, for example, a traveling employee's laptop were stolen, a thief who was able to crack the password would have instant access to the corporate network.
Digital certificates are electronic documents that prove a user's identity. (For a detailed discussion of certificates, see Public Key Cryptography and Digital Certificates.) Certificates are managed by a trusted third party called a certificate authority (CA). In the WatchGuard Firebox System, a Firebox can be configured to function as a CA. This method of authentication is more secure and scalable than shared secrets.
Related topics:
Selecting an Encryption and Data Integrity Method
Copyright
© 1996 - 2003 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use