Changes between Version 1 and Version 2 of Hardening


Ignore:
Timestamp:
11/25/13 23:37:44 (10 years ago)
Author:
JoshC
Comment:

add PKI management

Legend:

Unmodified
Added
Removed
Modified

  • Hardening

    v1 v2  
    66
    77A number of things can be done to harden OpenVPN's security. This is a non-exclusive list of ways to harden OpenVPN on a number of levels.
     8
     9== Practice secure PKI management ==
     10
     11This one is so obvious it's often missed in hardening/security review. Your security system is only as secure as its weakest link, and the PKI is no exception. Practice secure PKI management, safeguard your CA-related passphrases, and ensure you have the level of control and auditing over your PKI infrastructure as suitable for your security needs.
     12
     13Some basic principles of secure PKI management can include:
     14
     15* Keep the CA PKI on a secure system:
     16  * Limited user login access
     17  * Limited software installed that could compromise the system
     18  * Do not perform CA PKI tasks as root; use a restricted/limited account
     19  * Maintain filesystem controls/access
     20* Generate private keys on the target system
     21  * As above, do not use root/admin accounts to generate keypairs/requests
     22  * Do not transport private keys, even encrypted ones (attackers can attempt to guess/brute-force passphrases)
     23  * Any passphrase used needs to be shared/transported as well
     24  * When keys are shared, future compromise can't be as easily shown to come from a specific one
     25* Use secure passphrases
     26  * A copied/stolen encrypted key is no good if the passphrase used to protect it is weak/guessable
     27  * Standard password practices apply, such as not re-using passwords elsewhere
     28* Use a CRL, and quickly revoke lost/compromised keys
     29  * Generate/use a CRL upfront, even when initially empty (OpenVPN requires a restart to add this option later)
     30  * Ensure holders of issued certificates know to promptly report loss/compromise of private keys
     31  * Have a system in place for revoking certificates and deploying them to live systems
     32  * Consider if clients need a copy of the CRL as well; some considerations:
     33    * multiple servers?
     34    * re-issuance of a compromised server?
     35    * key rollover for other reasons prior to expiry?
    836
    937== X.509 key size ==