Designing Access Controls
Lay Out the Network
VPN Protocol and Encryption Algorithms. The VPN protocol is respon- sible for establishing secure tunnels between remote users and a device (typically a VPN gateway) in the private network. You can choose from several VPN protocols. The most common include PPTP, IPsec with IKE, and L2TP/ IPsec with IKE. The two that use IPsec are the more secure protocols.
As you set up the VPN, you must consider options such as the authentication method and encryption algorithms.
For authentication method, digital certificates provide stronger security, but a preshared key (or password) offers quicker setup. PPTP with
As in wireless zones, you should assume that any data passed into the remote zone can be intercepted. Choose an encryption algorithm accordingly: use AES whenever possible.
Endpoint Integrity. Testing endpoint integrity is particularly important in the remote zone: it may be the only control you have over the endpoints that access your network.
Because the remote zone connects to the private network at a single choke
Choose VPN Gateway and VPN Client. The VPN gateway can be a stand- alone hardware appliance or functionality built into an infrastructure device such as a router. Because the gateway is responsible for terminating a secure tunnel to each remote endpoint, it must be powerful enough to encrypt and decrypt all of the traffic.
If the VPN gateway is not built into the router that connects to the Internet, you’ll need to plan where to deploy it. Generally, you should place the VPN gateway as close to the router as possible.
Whether or not the gateway is a standalone device, you must consider one more aspect of the design: do remote endpoints have IP addresses that undergo Network Address Translation (NAT)? This is usually the case when a remote endpoint is on another LAN, rather than a simple home connection.
