Designing Access Controls
Make Decisions about Remote Access (VPN)
| User Type and Sophistication |
| Which users are connecting to the network, and what level of expertise do |
| they have? |
| Although you can make a VPN available to whomever you choose, remote access |
| is commonly reserved for members of your organization. (That is, you do not |
| provide VPN connections for guest users.) Therefore, you can typically expect |
| a certain degree of interaction with the users. |
| However, members of your organization might have widely differing technical |
| skills, and a VPN client can be complicated to set up. At the least, the user must |
| specify the IP address of the VPN gateway and possibly a preshared key. For an |
| IPsec or L2TP/IPsec VPN, the user might also need to create a security policy |
| that matches the policy on the VPN gateway. Even the most sophisticated users |
| will require you to inform them of the correct settings. A typical user will |
| probably need detailed instructions for setting up the VPN client. |
| Typical users might find a PPTP VPN connection slightly easier to set up than |
| one that relies on IPsec. They will still need some |
| inform them of your VPN gateway’s IP |
| the default settings established through the Windows Network Connection |
| Wizard. |
| Setting up L2TP/IPsec, on the other hand, can be complicated by the fact that |
| users must specify options for both IPsec and for L2TP. If you are using preshared |
| keys for the IPsec authentication method, some users might not understand that |
| they have to enter that preshared key and their Windows domain credentials. |
| In the end, some find vendor VPN clients easier to use; others prefer the native |
| clients included with their endpoints’ OS. Members of your IT staff should |
| select a preferred VPN client. You may also want to ask users if they have any |
| particular preferences. Some of them may have experience using a VPN and |
| may be able to provide a user’s perspective. |
|
|
N o t e | The ProCurve VPN Client offers an attractive alternative to instructing less |
| technically savvy users in configuring an IPsec VPN connection. You can |
| create a customized policy that already includes necessary settings and perhaps |
| a preshared key. Then export that policy to the client’s setup |
| selected when each user installs the client. |
| As for an authentication method, user type and sophistication do not greatly |
| |
| affect the choice. Whether a digital certificate or preshared key (password) is |
| easier for the user to configure depends on whether the user’s endpoint already |