Overview
This article provides answers to generally asked questions by the customers regarding the Kerio VPN certificates and the optimal use of security.
Information
- To use the dedicated Kerio VPN app that it can only be set up with a certificate (and not just a pre-shared key).
- In respect to security, is one method to connect via VPN more secure than the other? ( ie. using the dedicated Kerio VPN app, which requires a certificate(?), or setting up via Mac Preferences/ Network / add VPN L2TP, which seems to be the only way to set up with a Pre-Shared Secret).
- Pre-shared Secret
The server generates a keypair, you copy this to every client machine (manually, through a script, etc). When connecting to the server, the client will check that the public key presented matches the one they have cached for that server (conceptually, this is the same as SSH's fingerprint id method).
- Upside: no need for the inconvenience of getting a CA-signed certificate. You can generate the server's keypair and start deploying it to clients immediately.
- Downside: Recovering from a key compromise is difficult or impossible because there is no mechanism for the server to notify clients of a key compromise, except by pushing a new key pair to all clients. Consider that an attacker has the server's private key and can intercept traffic between the client and server (both to block the updated keypair push, and to man-in-the-middle the client's connection to the server). The client will trust the attacker and believe that it is talking to the authentic server and there is nothing you can do to prevent this because, at a fundamental level, pre-shared secrets have no revocation mechanism.
- Upside: no need for the inconvenience of getting a CA-signed certificate. You can generate the server's keypair and start deploying it to clients immediately.
- Certificate
- Although it could sometimes get expensive to get a certificate, the trust no longer depends on your ability to push the pre-shared key to the clients.
- Part of the validation process for a certificate is for the client to reach out to the CA and ensure that the certificate is not revoked and if it fails to reach the CA, this counts as a failure. Spoofing this revocation check requires the attacker to compromise not only the server's private key but the CA's private key as well. If the server realizes that it's key pair has been compromised and asks the CA to revoke it, all clients will know immediately because the online revocation checks will fail.
- Although it could sometimes get expensive to get a certificate, the trust no longer depends on your ability to push the pre-shared key to the clients.
- Pre-shared Secret
- For increased security, should we use a VPN with cellular connections? Please clarify the difference using VPN through WiFi networks and cellular networks.
- There is no difference if using the VPN on WiFI, cellular network or local area network. The VPN will encrypt all connections between the device and the server no matter what network the device gets internet from.
- There is no difference if using the VPN on WiFI, cellular network or local area network. The VPN will encrypt all connections between the device and the server no matter what network the device gets internet from.
- Is there more of a performance hit if we are using VPN to browse the internet? In other words, should we recommend that our users only use the VPN to check their email, and not to safely browse the internet? Will doing so slow down our email server for other users?
- Browsing the internet via the VPN will be slower than using the local network. The VPN will not slow down for other users. It can slow down sending and receiving if using the VPN compared to the local network.