Question

We recently decided to pay an ISP (a substantial sum, mind) for a managed internet service up to and including the router in our head office.

Part of the initial discussions made it clear that whatever solution the ISP thought was best it had to include a VPN as various members of staff are on the road a lot, coffee shops and trains and the like.

The ISP delivered a VPN solution in the form of Cisco AnyConnect which keeps showing security warnings as the certificate is self-signed. The certificate is also SHA-1.

1) My main question is this. Is this adequate security for a paid-for solution?

2) My second question (although it may be out of place in this area of SE) is this. Is it reasonable to assume the ISP would provide an adequate solution certificate given that the sensitive nature of the data we transmit was divulged to them?

Answer 1

Use of SHA-1 is irrelevant here.

The problem with a self-signed certificate is that there is no way for anybody to verify that the certificate is the correct one or not; this is exactly what the client warnings mean. When one of your staff sees the warning, and he clicks through to connect nonetheless, then that user could be connecting to a fake VPN server, ran by an attacker, who could then forward the data to the true server but also inspect it as it goes: a classical Man-in-the-Middle attack.

One may even say that with the self-signed certificate, you are training your staff to disregard warning messages, so, in all generality, you have lowered your security.

One way to fix the problem is to install the VPN certificate as "trusted", explicitly, in each client machine. This means that you instruct the client machine to accept that exact certificate as the right one. The Cisco documentation should tell you how to do it.

Another method is to have the ISP buy and install a certificate obtained from one of the "commercial CA" that existing machines already trust; this is the same kind of certificate as what you need for an https:// Web site that does not insult its users. This is traditionally known as an "SSL certificate" and you can have one for a few dollars per year (even for free with some CA).