HostedDB - Dedicated UNIX Servers

index_208
Router Security Configuration Guide UNCLASSIFIED 208 UNCLASSIFIED Version 1.0g 7.3.  IPSec and Dynamic Virtual Private Networks Section 5.2 explains some of the basic features of IPSec.  However, IPSec and Virtual Private Network (VPN) configutation are complex topics.  As deployment of VPNs becomes more common, the simple configurations described in Section 5.2 probably will not scale well enough satisfy users’ needs.  To achieve scalability, VPNs will need to be dynamic, employing public keys and public key certificates to set up IPSec-protected links on the fly Security configuration issues are likely to be important in deployment of large dynamic VPNs are listed below. § PKI enrollment and obtaining certificates –   To participate in a dynamic VPN based on Public Key Infrastructure (PKI), a router or any other device must possess a copy of the correct root and authority certificates, and it must have its own certified public key and private key.  Installing certificates and setting up authorities on Cisco routers is complex but well-documented.  There are also trust issues in any large VPN deployment: are all members of the VPN trusted equally?  In general, IPSec is most useful for integrity and confidentiality assurance, but not for authorization or access control. § Designating traffic to be encrypted –   Cisco routers, and most other VPN systems, support the ability to protect certain traffic based on its protocol and port numbers.  Currently, there are no uniform guidelines for selecting traffic to protect. § Certificate revocation  – In any large-scale PKI, removing certified principals from the trusted community is very important.  PKI standards define various data formats and protocols for defining revocations and for checking certification status (e.g. X.509 CRL format, OCSP).  It may be necessary to configure revocation checking on routers participating in dynamic VPNs. § Cryptographic issues –   Selection of uniform key sizes and cryptographic algorithms will be a contentious issue in VPN deployment.  Cisco routers currently support only a small complement of algorithms, depending on the installed IOS version and feature set.    For complete information on the IPSec and dynamic VPN capabilities of Cisco IOS 12.0, consult Cisco IOS 12.0 Network Security [2].