Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

151

152

153

154

155

156

157

158

159

160

3-42

Designing Access Controls

Make Decisions about Remote Access (VPN)

User Type and Sophistication

Which users are connecting to the network, and what level of expertise do

they have?

Although you can make a VPN available to whomever you choose, remote access

is commonly reserved for members of your organization. (That is, you do not

provide VPN connections for guest users.) Therefore, you can typically expect

a certain degree of interaction with the users.

However, members of your organization might have widely differing technical

skills, and a VPN client can be complicated to set up. At the least, the user must

specify the IP address of the VPN gateway and possibly a preshared key. For an

IPsec or L2TP/IPsec VPN, the user might also need to create a security policy

that matches the policy on the VPN gateway. Even the most sophisticated users

will require you to inform them of the correct settings. A typical user will

probably need detailed instructions for setting up the VPN client.

Typical users might find a PPTP VPN connection slightly easier to set up than

one that relies on IPsec. They will still need some instructions—and you must

inform them of your VPN gateway’s IP address—but they might be able to use

the default settings established through the Windows Network Connection

Wizard.

Setting up L2TP/IPsec, on the other hand, can be complicated by the fact that

users must specify options for both IPsec and for L2TP. If you are using preshared

keys for the IPsec authentication method, some users might not understand that

they have to enter that preshared key and their Windows domain credentials.

In the end, some find vendor VPN clients easier to use; others prefer the native

clients included with their endpoints’ OS. Members of your IT staff should

select a preferred VPN client. You may also want to ask users if they have any

particular preferences. Some of them may have experience using a VPN and

may be able to provide a user’s perspective.

Note The ProCurve VPN Client offers an attractive alternative to instructing less

technically savvy users in configuring an IPsec VPN connection. You

can

create a customized policy that already includes necessary settings and perhaps

a preshared key. Then export that policy to the client’s setup files—ready to be

selected when each user installs the client.

As for an authentication method, user type and sophistication do not greatly

affect the choice. Whether a digital certificate or preshared key (password) is

easier for the user to configure depends on whether the user’s endpoint already