DMVPN/preshared key configured and device stolen

Deepak Ambotkar · ‎09-07-2012

Hello,

I have a question on DMVPN solutions where device is already configured with a preshared key and expected to be a part of a network once the device is fired up.

Now what if this device (e.g. router) is stolen and plugged to the Internet? I believe it will establish a connection with a hub router because preshared keys, DMVPN config are matching and is there a solution to prevent this?

I know it is a physical security question however I need to consider this rare scenario.

Thanks,

Deepak Ambotkar

Karsten Iwen · ‎09-07-2012

The solution for that problem is to use digital certificates which is a best-practice for DMVPN. For that you can also use an IOS-router as a CA-server.

If you decide against certificates, the you can at least use PSK-encryption. That doesn't help against stolen devices, but helps against rouge spokes when someone can get the client-config.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

olpeleri · ‎09-10-2012

The most scalable way is to use a PKI infrastructure. If a device get stolen, then the network admin would revoke the certificate and publish a new CRL [ Certificate Revokation List].

As soon the stolen device try to reconnect to the hub, the hub will terminate the connection due to certification validation failure.

That's the best practice.