Security Solutions
3-39
Designing Access Controls
Make Decisions about Remote Access (VPN)
Note The IPsec protocol in particular requires you to design a detailed security
policy. In addition to the options listed above, policies include parameters
such as the Diffie-Hellman group, the IKE initiate and response mode, and
separate encryption and hash algorithms for the temporary IKE security
association (SA). Although a detailed discussion of these options is beyond
the scope of this guide, you can find a very detailed explanation in the
ProCurve Secure Router Advanced Management and Configuration Guide.
Finally, endpoints require a VPN client, which is configured to match options
on the VPN gateway. The gateway itself can be a standalone hardware appli-
ance or software built into a router, firewall, or server.
Table 3-25 lists the options available for the three most common VPN
protocols.
Table 3-25. Options for VPN Protocols
Protocol Authentication
Methods
Encryption Protocols
and Algorithms
Client Gateway
IPsec with IKE IKE
• Preshared key
(password)
• Digital certificates:
– Rivest
Signature
Algorithm (RSA)
–Digital
Signature
Algorithm (DSA)
Xauth—optional
second layer of
authentication
Authentication
Header (AH), integrity
only
• Message Digest 5
(MD5)
• Secure Hash
Algorithm 1
(SHA-1)
Encapsulating
Security Payload
(ESP), integrity and
privacy:
•MD5
• SHA-1
• Digital Encryption
Standard (DES)
• Triple DES (3DES)
• Advanced
Encryption
Standard (AES)
• ProCurve VPN
Client
• Mac native (no GUI)
• Linux FreeS/WAN
• Other vendors
• ProCurve Secure
Router 7000dl
• Other vendor:
– Software built
into a router or
firewall
– Hardware
appliance