Security Solutions
3-40
Designing Access Controls
Make Decisions about Remote Access (VPN)
This rest of this section guides you through the process of selecting these
options. Although the VPN technologies and options are quite different from
those for port authentication, the factors that you must consider are similar:
■ Vulnerability and risk assessment
■ User type and sophistication
■ Administrative workload and IT budget
■ Endpoints and administrative control over endpoints
■ Existing network infrastructure
Vulnerability and Risk Assessment
How vulnerable is the network? How much risk can your company tolerate?
In “Vulnerability and Risk Tolerance” on page 3-21, you already considered the
negative consequences of a breach in security. The only difference for the
remote zone is that the potential field of attackers widens. For example, a
hacker attempting to collect passwords on your LAN must access a port in
your LAN. A VPN, on the other hand, opens up your private network to access
from practically any location. With a good VPN design, however, you can
ensure that convenient access does not come at the price of exposing confi-
dential data to any Internet user.
L2TP/IPsec IKE
• Preshared key
(password)
• Digital certificates:
–RSA
–DSA
ESP, integrity and
privacy:
•MD5
• SHA-1
•DES
•3DES
•AES
Windows native • Windows Server
2000 or 2003
• Other vendors:
– Software built
into router or
firewall
– Hardware
appliance
PPTP • Microsoft
Challenge
Handshake
Authentication
Protocol version 2
(MS-CHAPv2)
(passwords)
• EAP-TLS (digital
certificate)
Microsoft Point-to-
Point Encryption
(MPPE), privacy
• Rivest Cipher 4
(RC4)
• Windows native
•Mac native
• Other vendors
• Windows Server
2000 or 2003
• Other vendor:
– Software built
in to router or
firewall
– Hardware
appliance
Protocol Authentication
Methods
Encryption Protocols
and Algorithms
Client Gateway