Good security programs start with asking the right questions. All too often, security and network engineers sweat the details of some security technology or other and don't examine the most likely sources of attack. I recently overhead the question "How long should I set an IPSec VPN rekey time interval?" Answer the question by asking how worried you are about an attacker breaking into your VPN and how that might be accomplished.

This is one example where the answer depends on a lot of factors, such as: how sensitive is the data that is being protected, who the potential attackers are and their skill and funding levels, what requirements attackers need to achieve to pull off the attack successfully, and for how long the data needs to be protected.

The real question asks whether the data is properly protected from attack at rest and in transit. Let's make the assumption that the IPSec VPN product implements the cryptographic stuff properly and there are no bugs or problems that can be exploited. The only way to break the VPN is to crack the key. For a 112-bit 3DES key, there are 5.19e+33 possible keys. For a 168-bit 3DES key, 3.74e+50 possible keys. Assume 1,000,000 guesses per second and the time to guess the key works out to, um, forever.

Chances are, unless there is a problem with the IPSec VPN gateways cryptographic system, recovering the key would be difficult. Re-keying periodically generates a new key and is used so that if an attacker guesses the key, they can only recover a portion of the data before having to crack a new key. If you use perfect-forward secrecy, a feature where the new key isn't related to the existing key, the attacker has to crack a brand new key to get more of the data. This was important when people still used 56-bit DES and cracking a 56-bit DES key was in reach. With 112- or 168-bit keys, fuggedaboutit.

Unless your company is a target of a well-funded corporation or government, there is probably no practical reduction in risk if you don't rekey the VPN or use perfect-forward secrecy because the costs of even attempting to crack a 112- or 168-bit key are large. There is no harm, or cost, in using those features, either, and turning them on may help you sleep at night knowing that cracking your VPN is that much more difficult.

It's more likely your data will be compromised by a trusted insider, social engineering, a lost USB device, a tape falling off the back of a truck, or by this guy or by that guy. Low-tech attacks are cheap and successful.

Targeted, technical attacks, the kinds of attacks where someone would try to crack your VPN keys, are more costly to pull off and more likely to fail than a low-tech breach. For the cost of a plane ticket and some custom shirts with a logo, you can probably walk into most businesses as a copier-repair technician and be running around the network in 15 minutes.

Information security is more than technology. Information security is a mindset that prioritizes threats and targets so you can spend your time protecting the most valuable and at-risk targets in a way that has practical impact. Using a VPN to encrypt sensitive data on the network is a great idea, but don't get so lost in the details that you lose sight of big picture.