
Designing Access Controls
Make Decisions about Remote Access (VPN)
Table 3-30. Selecting VPN Options Based on Endpoint
Factor | VPN Protocol | Authentication | Encryption | Client | Gateway |
|
| Method |
|
|
|
|
|
|
|
|
|
Endpoint and | PPTP | MPPE | Windowsnativeor | Any that supports | |
administrative |
|
|
| Mac OS X native | PPTP |
control | L2TP/IPsec | Preshared key | Any | Windowsnativeor | Any that supports |
| |||||
|
|
|
| Mac OS X native | L2TP/IPsec |
|
|
|
|
|
|
Existing Network Infrastructure
Finally, you must look at your existing network infrastructure and make sure that your choices make sense within your current environment.
Primarily, your existing infrastructure affects your choice of VPN gateway. Do you have an existing device that supports VPN functionality, and does it make sense to use that device? How much traffic do you expect the VPN to handle? The documentation for the chosen device should indicate the number of tunnels that it can handle simultaneously. Is that sufficient, or do you need to add another device? If you must add a new device, you will need to build that device into your network layout and plan for redundant connections.
Your existing network may also affect your choice of authentication method. If you already have a complete Public Key Infrastructure (PKI), using digital certificates makes more sense. Of course, if users will be using their own endpoint, rather than the company’s endpoint (which has already been con- figured with the certificate), you will not be able to leverage most of your existing PKI. You must still plan on users configuring the endpoints at home.
Example
PCU already has a Secure Router 7203dl, which, with an IPsec VPN Module, supports up to 1000 VPN tunnels. Because PCU has 600 faculty members, the router should easily handle its additional role as VPN gateway. Using the router as the VPN gateway necessitates IPsec as the VPN
PCU already has a PKI, so the network administrators decide on digital certificates as a feasible and secure option for authentication. They can help faculty members copy the necessary digital certificate from their university endpoint to the ProCurve VPN client, which they will install at home.
When considering only existing network infrastructure, PCU network admin- istrators choose the VPN options displayed in Table