Choosing A Ultrasurf Provider

PREFACE

One of the most important things before adding security devices to a network is to test them in different aspects. We must verify that they are secure, that they are easy to install and manage and that the network will go down for the minimum time possible during the implementation process (if at all).

After a short introduction to VPNs, this document lists the aspects that should be considered while evaluating a VPN solution, and provides guidelines for evaluating the solution's suitability for each aspect.

INSTALLATION

Deploying a new network should not be a complicated process. It is important for a network administrator to be able to install the network as fast as possible and with as few errors as possible, even if she is not a security expert.

An easy installation process will reduce to minimum the network downtime, will save working hours, and, of course, will result in a secure installation.

  1. Install and Configure the CA.
  2. Install the master management station.
  3. Configure both gateways.
  4. Install and configure the IPSec client.


*Is the certification of the gateway done automatically?
*Can the new VPN devices be seen automatically from the MNG station?
Do both VPN gateways know that they belong to the same domain?

CONFIGURATION AND MANAGEABILITY

One of the most time consuming activities of a network administrator is configuration of the different devices. It is important to verify that adding and removing devices is an easy task.

Pick one of the devices and add a new subnet to its local/private networks.

*Can you connect to this new network in secure from the other protected sites?
*Do you have to configure this change in the rest of the network?

Key exchange is resource consuming. It should also be verified that this process is done automatically and does not require human involvement. - Define minimal lifetime for Quick Mode (Phase II) and\or Main Mode (Phase I) on all devices (The minimum time varies in different products).

Check with a LAN analyzer if you can see the key exchange (UDP port 500) before the defined expiration period of the phases of IPSec.

Management

One of the basic and most important parts of the network, and specifically a security solution, is the ease of management. When the network is very large, one management station might not be enough, especially if this is an extranet.

It is important to verify that the different management possibilities suit the network needs. More than that, as this is the management station of a security network, it is also important to verify that the management is secure and that unauthorized persons cannot change your security policy.

Is the management secure?

  • How is the master management protected?
    Try to access master management station from a host on the corporate LAN (by ping/ftp/telnet). Verify that unauthorized people do not have access to your master management station and cannot change the policy of your VPN.
  • Verify that the management information is IPSec. Check with a LAN analyzer that the port and protocol of the management information are IPSec and not SSL or clear.
  • Verify that you cannot manage any of your devices from an unauthorized management station.

Ease and flexibility of management

This is particularly important for large networks and extranets where one management station is not sufficient. It could be that the network is an extranet and each company wants to manage its own security policy. It could be that the network is very large and spread in different countries around the world and more than one person manages the network configuration or security policy. But even small organizations need flexibility to have more than one manager for different reasons.

  • Define another manager for the two gateways (from the LAN or from the internet).
    Verify that the new management station cannot manage the other gateway if it is not defined as a manager for that gateway.
  • Create a secure connection between the two VPN gateways (each managed by a different management station.).
  • Can you add another management station? download ultrasurf

SECURITY ASPECTS

It is important to check with your vendor the physical security of the VPN devices.It is not an easy task to test the security of the devices and in most cases you cannot verify the security of the deices with standard testing tools. Therefore you will need to get some of the information from your vendor.

  1. Are the devices physically protected? How is the private key secured? If someone physically tampers with the devices, will they gain access to the private keys? (Remember: the private keys are the most sensible information of a security system. If someone gains access to your private keys, they can encrypt the data you are sending!).
  2. Key creation: Is it real random by a physical device or only pseudo random created by functions provided by the operating system or by software?
  3. OS: Is the VPN device using a closed operating system? Are there other processes or daemons not security related running? Can the operating system be hacked? Try to FTP/Telnet the devices from the public/unsecured host.
  4. When installing two devices for high availability (redundancy), verify with the vendor that private keys are not transferred between devices.
  5. Try to remove security related physical parts of the device and see if you can continue working.

HIGH AVAILABILITY

Time is money. Disconnection of a network for a period of time could cause the organization a lot of money. Many networks require high availability - no single point of failure.

Even if a physical problem occurs with one of the devices (like a power down that caused the device not to function) - it is important that another device take over the network operation and/or exchanging the device and getting the network up and running as fast as possible.

 

HIGH AVAILABILITY/ AUTOMATIC FAILOVER

Install another VPN gateway as a redundant/hot standby to the one previously installed.

  1. Automatic redundancy discovery -
    • Is there an automatic detection of the two devices? Does it involve any configuration change in the other VPN devices in the network?
    • Check the management station to see if you have an indication on the status of the devices and which is the primary one.
  2. Hot Swap Redundancy
    • Establish FTP session between the host behind the redundant gateways to the remote branch.
    • Switch off the primary device, check if the session was broken, and look at the devices status at the management station.
    • Switch back on the primary device. Check if the session was broken.
    • Look at the status of the devices in the management station, right after the primary device was turned back on, and a few minutes later (when it becomes active).
  3. Client capability to Identify active device
    • Create a session between the client and the host behind the redundant gateways (FTP etc).
    • Switch off the primary device and check if connection continues.
    • Switch the primary device back on and check that the connection is still available.

 

DISASTER RECOVERY

  1. No single point of failure -
    Take one of the VPN gateways and replace it with a new device. How long does it take to get the network to a working state as previously?
    • Check configuration of the "new" device through the management station.

    Is the network working properly? Is the former configuration restored?
  2. Try to exchange the Certificate Authority (CA).
    • Check if all pre-existing devices are known and can be managed.
    • During the time you exchanged the CA, did the rest of the network function properly?
  3. No single point of failure - try to turn off one of the VPNs, the CA or the management station. Verify that there is no one single device that when not working properly causes the whole network not to function.

 

 

Publié le par Aurora dans «misc».