Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

161

162

163

164

165

166

167

168

169

170

3-47

Designing Access Controls

Make Decisions about Remote Access (VPN)

Table 3-30. Selecting VPN Options Based on Endpoint

Existing Network Infrastructure

Finally, you must look at your existing network infrastructure and make sure

that your choices make sense within your current environment.

Primarily, your existing infrastructure affects your choice of VPN gateway. Do

you have an existing device that supports VPN functionality, and does it make

sense to use that device? How much traffic do you expect the VPN to handle?

The documentation for the chosen device should indicate the number of

tunnels that it can handle simultaneously. Is that sufficient, or do you need to

add another device? If you must add a new device, you will need to build that

device into your network layout and plan for redundant connections.

Your existing network may also affect your choice of authentication method.

If you already have a complete Public Key Infrastructure (PKI), using digital

certificates makes more sense. Of course, if users will be using their own

endpoint, rather than the company’s endpoint (which has already been con-

figured with the certificate), you will not be able to leverage most of your

existing PKI. You must still plan on users configuring the endpoints at home.

Example

PCU already has a Secure Router 7203dl, which, with an IPsec VPN Module,

supports up to 1000 VPN tunnels. Because PCU has 600 faculty members, the

router should easily handle its additional role as VPN gateway. Using the

router as the VPN gateway necessitates IPsec as the VPN protocol—a good

choice because it is a secure option.

PCU already has a PKI, so the network administrators decide on digital

certificates as a feasible and secure option for authentication. They can help

faculty members copy the necessary digital certificate from their university

endpoint to the ProCurve VPN client, which they will install at home.

When considering only existing network infrastructure, PCU network admin-

istrators choose the VPN options displayed in Table 3-31.

Factor VPN Protocol Authentication

Method

Encryption Client Gateway

Endpoint and

administrative

control

PPTP MS-CHAPv2 MPPE Windows native or

Mac OS X native

Any that supports

PPTP

L2TP/IPsec Preshared key Any Windows native or

Mac OS X native

Any that supports

L2TP/IPsec