Security Solutions
3-43
Designing Access Controls
Make Decisions about Remote Access (VPN)
has a valid certificate installed on it. If so, the digital certificate method shouldn’t
pose problems even for less skilled users. If you use PPTP, users can log in with
their normal credentials and have one fewer password to remember.
Finally, encryption algorithms are similar as far as ease in selecting them in a
client’s security policy. However, the more options you allow in the gateway’s
security policy, the less likely it is that a misconfigured policy will prevent a user
from connecting.
Example
At PCU, only members of the faculty can log in to the university’s VPN. These
users have a wide range of skills. PCU network administrators narrow their
choices to PPTP configured with the Windows Network Connection Wizard or
IPsec using the ProCurve VPN Client with a pre-configured policy.
Users already have digital certificates, so they will continue to use those. (They
may need instructions on installing them on a personal endpoint.)
The IT staff is responsible for setting up the VPN gateway, so user type and
sophistication won’t affect that choice. The network administrators just need to
to select a gateway that meets the needs of their network environment.
When factoring in only user type and sophistication, the PCU network admin-
istrators have decided that the two options shown in Table 3-29 are equally
desirable.
Table 3-27. Selecting VPN Options Based on User Type and Sophistication
Factor VPN Protocol Authentication
Method
Encryption Client Gateway
User type and
sophistication
PPTP EAP-TLS MPPE Windows native • Windows Server 2000
or 2003
• Other vendor:
– Software built in to
router or firewall
– Hardware
appliance
IPsec with IKE Digital certificates Any ProCurve VPN
Client with
preconfigured
policy
Secure Router 7000dl