Security Solutions
3-36
Designing Access Controls
Make Decisions about Remote Access (VPN)
Table 3-22. Access Control Methods for Each Zone
Remember that the PCU network administrators noted that the users in the
administration building would need some help if 802.1X was selected as the
access control method. Because they cannot hire additional network admin-
istrators, they will have to conduct some training classes for these users. This
requirement is documented in the PCU’s comprehensive security policy.
Make Decisions about Remote Access
(VPN)
The previous section guided you through choosing an access control method
for four security zones within your network. However, your company might
have a fifth zone: remote. The remote zone would include any users who
access the network remotely—here defined as over a public connection
(probably the Internet).
Such remote access is provided by a VPN solution. When you are evaluating
access control methods, you are concerned with client-to-site VPNs, which
establish a virtual point-to-point connection, or tunnel, between a remote
endpoint and a gateway. (A VPN can also establish a tunnel between two sites.)
The gateway grants access to the inside network.
Strictly speaking, a tunnel is any virtual point-to-point connection over which
encapsulated traffic is untouched by devices between points. For the purposes
of this guide, a tunnel must be a secure channel; that is, it protects the privacy
and integrity of data with encryption. A VPN protocol handles setting up the
secure channel and, in the process, authenticating the remote users.
Zone Access Control Method
Private wired 802.1X and MAC-Auth (for endpoints that do not support 802.1X)
Public wired Web-Auth, except for headless devices, which use MAC-Auth
Private wireless 802.1X with WPA/WPA2
Public wireless Web-Auth