Last week’s post on Branch Networking focused on High Availability, so this week we’ll take a dive into central management. As a quick overview, a central VPN management system is required for effective networking of branch offices. Even if there are only a few branch offices, the time and money that have to be spent on local network administration is out of proportion, especially with M2M networking.
Central management automates the management of remote / branch office VPN gateways. So the more VPN relevant systems the central management contains, the simpler and more manageable the network becomes for administrators. Of course, management should include configuration and software updates – but it should also include managing of digital software or hardware certificate rollouts, an LDAP console for identity and rights management, and security monitoring of the end-devices (Network Access Control / Endpoint Security).
We know a VPN system secures all data transfers in an encrypted tunnel. However, sealing this communication has to take place as early as Internet dial up, which is the most frequent point of vantage for hacker attacks. The core problem is how the branch offices authenticate towards the central gateway. One possibility for authentication are pre-shared keys, another is the use of certificates. For security reasons, certificates are the better option because they can be adapted. This means old certificates can be locked and new ones can be issued. Certificate handling has to be organized; i.e. if one certificate expires, the VPN management should offer automatisms that request and issue new certificates.
Often, there’s another security requirement is simply overlooked. The firewall must only allow IPsec connections. Usually branch offices connect to the Internet via a DSL router. This router protects the VPN gateway and some VPN gateways also support the communication medium PPPoE. This means, the gateway can directly be used for DSL dial-up and a DSL router becomes obsolete. In this case, too, the firewall must only allow IPsec connections. Maintenance of the branch offices’ VPN gateway can also be possible by direct dial up via ISDN – not via the Internet.
Do you have questions about Branch Networking? We’ll do our best to help if you send your questions to firstname.lastname@example.org or leave us a comment below. Also, stay tuned for next week’s Branch Networking post about “masking.”