Appendix E – RouteFinder Maintenance
Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D)
158
Appendix E – RouteFinder Maintenance
This section covers issues related to routinely maintaining the RouteFinder, including:
•
Housekeeping
•
Monitoring
•
Updating
Housekeeping
Housekeeping includes the on-going list of tasks that you need to perform to keep your environment safe and clean. The
three main housekeeping tasks that you'll need to revisit periodically are:
•
System backups
– This includes regular backups of RouteFinder configurations and reporting logs. Much of
the system backup effort can be done automatically on the RouteFinder (refer to the System > Backup section
in Chapter 3 of this manual).
•
Accounts management
– Includes adding new accounts correctly, deleting old ones promptly, and changing
passwords regularly. You should arrange to get termination notification when someone leaves your
organization (e.g., for your company's full-time and contract employees, or your university's graduating
students). This should involve managing Certification and Key expiration dates, maintaining current email
address or addresses for alerts and notifications (e.g., from the
Administration
menu), as well as maintaining
the overall WebAdmin password from he
Administration
menu.
•
Shared Secret Maintenance
– Most secure protocols provide for mutual authentication (server-to-client and
client-to-server). Most ways of doing this are based on the same process: each side "proves" that it can decrypt
a value that only the "authentic" participant can know.
This secret could be the private half of a public key / private key pair, or it could be a key used along with a
symmetric algorithm. In both authentication methods each side sends the other an 'unpredictable' value, and
then gets it back in a form that proves that the other side was able to decrypt it.
Public key cryptography provides excellent data protection, but it's fairly slow. A convenient method is to use a
temporary key (AKA, a session key) for most transactions, and then destroy the session key when the
transaction is completed. Here, a secure protocol negotiates a session key that is used for a single
transaction. The session key is still unpredictable and secure, but takes a lot less time to generate. However,
when using the temporary (session) key method, it becomes important for the administrator to destroy quickly
and systematically the shared secrets once they are used. Using
partial perfect forwarding secrecy
the shared
secret is destroyed after a set period of time. When using perfect secret forwarding, the administrator is
responsible for destroying used shared secrets.
•
Disk space management
– Includes timely 'cleanup' of random program and data files to avoid wondering if a
program is a leftover from a previous user, or a required program needed for a new install, or a program that an
intruder left behind as a 'present' for someone to open. Eliminating unneeded files will allow more room on the
hard drive for important logs and reports.
•
Authentication Keys Maintenance
– Authentication keys need to be unpredictable, and random numbers can
often be necessarily involved. You’ll want to change authentication keys often, since the longer a key is used,
the more likely it is to be discovered or accidentally disclosed.
Monitoring
Here you need to keep track of your system in terms of 'normal' usage so you can tell:
•
If your RouteFinder is working.
•
If your RouteFinder has been compromised.
•
What kinds of attacks are being perpetrated.
•
If your RouteFinder is providing the services your users need, or if upgrades or add-ons are needed.
To be proactive in solving these issues, keep track of usage reports and logs (refer to the sections on
User
Authentication
,
Tracking
, and
Statistics & Logs
in Chapter 3). For information on RouteFinder upgrades and add-
ons refer to the preceding section,
Software Upgrades and Add-ons
.