|
|
| Designing Access Controls |
|
| Make Decisions about Remote Access (VPN) | |
|
| ||
N o t e | The IPsec protocol in particular requires you to design a detailed security | ||
| policy. In addition to the options listed above, policies include parameters | ||
| such as the | ||
| separate encryption and hash algorithms for the temporary IKE security | ||
| association (SA). Although a detailed discussion of these options is beyond | ||
| the scope of this guide, you can find a very detailed explanation in the | ||
| ProCurve Secure Router Advanced Management and Configuration Guide. | ||
| Finally, endpoints require a VPN client, which is configured to match options | ||
| |||
| on the VPN gateway. The gateway itself can be a standalone hardware appli- | ||
| ance or software built into a router, firewall, or server. | ||
| Table | ||
| protocols. |
|
|
| Table |
| |
|
|
|
|
Protocol | Authentication | Encryption Protocols Client | Gateway |
| Methods | and Algorithms |
|
|
|
|
|
IPsec with IKE | IKE |
| Authentication | ||
| • | Preshared key | Header (AH), integrity | ||
|
| (password) | only | ||
| • | Digital certificates: | • | Message Digest 5 | |
|
| – | Rivest |
| (MD5) |
|
| • | Secure Hash | ||
|
|
| Signature | ||
|
|
| Algorithm (RSA) |
| Algorithm 1 |
|
| – | Digital |
| |
|
| Encapsulating | |||
|
|
| Signature | ||
|
|
| Algorithm (DSA) | Security Payload | |
| (ESP), integrity and | ||||
| privacy: | ||||
| second layer of | ||||
| • | MD5 | |||
| authentication | ||||
|
|
|
| • |
|
|
|
|
| • | Digital Encryption |
|
|
|
|
| Standard (DES) |
|
|
|
| • | Triple DES (3DES) |
|
|
|
| • | Advanced |
|
|
|
|
| Encryption |
|
|
|
|
| Standard (AES) |
• | ProCurve VPN | • | ProCurve Secure | |
| Client |
| Router 7000dl | |
• Mac native (no GUI) | • | Other vendor: | ||
• | Linux FreeS/WAN |
| – | Software built |
• | Other vendors |
|
| into a router or |
|
|
|
| firewall |
|
|
| – | Hardware |
|
|
|
| appliance |
