Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

151

152

153

154

155

156

157

158

159

160

3-44

Designing Access Controls

Make Decisions about Remote Access (VPN)

Administrative Workload and IT Budget

Do network administrators have the time and resources to establish the VPN?

How much budget has your organization allocated for this task?

No matter which VPN protocol is selected, IT staff must dedicate some time

to configuring the VPN gateway and more time still to configuring VPN clients

or training users how to configure the clients. Remote users often access the

network with their own endpoint, so you will probably need to make a vendor

VPN client (such as the ProCurve VPN client) available to them and instruct

them how to install and configure it. As discussed in “User Type and Sophis-

tication” on page 3-42, you will still need to guide most users through setting

up a VPN connection.

The type of VPN gateway that you select also affects the administrative

workload. Generally, a gateway built into an existing router (or possibly

server) is easier to set up than a hardware appliance. You do not have to

redesign network connections.

You should estimate the time required to complete these tasks on various

gateways and clients. For which choices do you have the budget? Remember

that you will also need to add the cost of the VPN solution itself. The two costs

might involve trade-offs. For example, vendor clients often offer more features

and perhaps a more intuitive interface, but you must purchase them. On the

other hand, software VPN gateways built into an existing device are usually

both easier to manage and cheaper than hardware appliances.

As far as the authentication method is concerned, managing digital certificates

always demands more from IT staff than simply setting a password.

On the other hand, specifying encryption protocols in IPsec and IKE policies

involves the same amount of work no matter which protocols are selected.

However, the more options you give users, the fewer calls your IT staff must

field explaining to users how to configure the correct ones.

Example

PCU network administrators have decided that whatever VPN protocol they

choose, it will involve some work to establish the VPN. However, using VPN

software that is built into an existing router will simplify the deployment. PCU

is using the ProCurve Secure Router 7203dl, which can support IPsec, so

network administrators choose that protocol.

The network administrators decide that, as far as they are concerned, pre-

shared keys will be the easiest authentication method to set up.