cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

861
Views
0
Helpful
2
Replies
Highlighted

DMVPN/preshared key configured and device stolen

Hello,

I have a question on DMVPN solutions where device is already configured with a preshared key and expected to be a part of a network once the device is fired up.

Now what if this device (e.g. router) is stolen and plugged to the Internet? I believe it will establish a connection with a hub router because preshared keys, DMVPN config are matching and is there a solution to prevent this?

I know it is a physical security question however I need to consider this rare scenario.

Thanks,

Deepak Ambotkar

Everyone's tags (4)
2 REPLIES 2
VIP Mentor

DMVPN/preshared key configured and device stolen

The solution for that problem is to use digital certificates which is a best-practice for DMVPN. For that you can also use an IOS-router as a CA-server.

If you decide against certificates, the you can at least use PSK-encryption. That doesn't help against stolen devices, but helps against rouge spokes when someone can get the client-config.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Cisco Employee

DMVPN/preshared key configured and device stolen

The most scalable way is to use a PKI infrastructure. If a device get stolen, then the network admin would revoke the certificate and publish a new CRL [ Certificate Revokation List].

As soon the stolen device try to reconnect to the hub, the hub will terminate the connection due to certification validation failure.

That's the best practice.