09-07-2012 12:34 AM - edited 02-21-2020 06:19 PM
Hello,
I have a question on DMVPN solutions where device is already configured with a preshared key and expected to be a part of a network once the device is fired up.
Now what if this device (e.g. router) is stolen and plugged to the Internet? I believe it will establish a connection with a hub router because preshared keys, DMVPN config are matching and is there a solution to prevent this?
I know it is a physical security question however I need to consider this rare scenario.
Thanks,
Deepak Ambotkar
09-07-2012 01:15 AM
The solution for that problem is to use digital certificates which is a best-practice for DMVPN. For that you can also use an IOS-router as a CA-server.
If you decide against certificates, the you can at least use PSK-encryption. That doesn't help against stolen devices, but helps against rouge spokes when someone can get the client-config.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-10-2012 10:18 PM
The most scalable way is to use a PKI infrastructure. If a device get stolen, then the network admin would revoke the certificate and publish a new CRL [ Certificate Revokation List].
As soon the stolen device try to reconnect to the hub, the hub will terminate the connection due to certification validation failure.
That's the best practice.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: