7IPsec VPN116It is becoming increasingly common for users on the move to connect directly to theircompany’s network via VPN from their laptops. However, the laptop itself is often notprotected. In other words, an intruder can gain access to the protected network through anunprotected laptop and already‐opened VPN connections.Placement in a DMZA VPN connection should never be regarded as an integral part of a protected network. TheVPN gateway should instead be located in a special DMZ or outside a gateway dedicated tothis task. By doing this, you can restrict which services can be accessed via the VPN andensure that these services are well protected against intruders.In instances where the gateway provides an integrated VPN feature, it is usually possible todictate the types of communication permitted. The SEG VPN includes this feature.Key distributionIf using pre‐shared keys for VPN security, key distribution schemes are best planned inadvance. Issues that need to be addressed include:• How will keys be distributed? E‐mail is not a good solution. Phone conversations might besecure enough.• How many different keys should be used? One key per user? One per group of users? Oneper LAN‐to‐LAN connection? One key for all users and one key for all LAN‐to‐LANconnections? It is probably better to use more keys than is necessary since it will be easierto adjust access per user (group) in the future.• Should the keys be changed? If they are changed, how often? In cases where keys areshared by multiple users, you may want to consider overlapping schemes, so that the oldkeys work for a short period of time when new keys have been issued.• What happens when an employee in possession of a key leaves the company? If severalusers are using the same key, it should be changed.• In cases where the key is not directly programmed into a network unit, such as a VPNgateway, how should the key be stored? On a floppy? As a pass phrase to memorize? On asmart card? If it is a physical token, how should it be handled?