Designing Access Controls

Make Decisions about Remote Access (VPN)

Administrative Workload and IT Budget

Do network administrators have the time and resources to establish the VPN? How much budget has your organization allocated for this task?

No matter which VPN protocol is selected, IT staff must dedicate some time to configuring the VPN gateway and more time still to configuring VPN clients or training users how to configure the clients. Remote users often access the network with their own endpoint, so you will probably need to make a vendor VPN client (such as the ProCurve VPN client) available to them and instruct them how to install and configure it. As discussed in “User Type and Sophis- tication” on page 3-42,you will still need to guide most users through setting up a VPN connection.

The type of VPN gateway that you select also affects the administrative workload. Generally, a gateway built into an existing router (or possibly server) is easier to set up than a hardware appliance. You do not have to redesign network connections.

You should estimate the time required to complete these tasks on various gateways and clients. For which choices do you have the budget? Remember that you will also need to add the cost of the VPN solution itself. The two costs might involve trade-offs. For example, vendor clients often offer more features and perhaps a more intuitive interface, but you must purchase them. On the other hand, software VPN gateways built into an existing device are usually both easier to manage and cheaper than hardware appliances.

As far as the authentication method is concerned, managing digital certificates always demands more from IT staff than simply setting a password.

On the other hand, specifying encryption protocols in IPsec and IKE policies involves the same amount of work no matter which protocols are selected. However, the more options you give users, the fewer calls your IT staff must field explaining to users how to configure the correct ones.

Example

PCU network administrators have decided that whatever VPN protocol they choose, it will involve some work to establish the VPN. However, using VPN software that is built into an existing router will simplify the deployment. PCU is using the ProCurve Secure Router 7203dl, which can support IPsec, so network administrators choose that protocol.

The network administrators decide that, as far as they are concerned, pre- shared keys will be the easiest authentication method to set up.

3-44