Security Solutions
3-144
Designing Access Controls
Lay Out the Network
VPN Protocol and Encryption Algorithms. The VPN protocol is respon-
sible for establishing secure tunnels between remote users and a device
(typically a VPN gateway) in the private network. You can choose from several
VPN protocols. The most common include PPTP, IPsec with IKE, and L2TP/
IPsec with IKE. The two that use IPsec are the more secure protocols.
As you set up the VPN, you must consider options such as the authentication
method and encryption algorithms.
For authentication method, digital certificates provide stronger security, but a
preshared key (or password) offers quicker setup. PPTP with MS-CHAP allows
users to log in with their domain credentials. The preshared key for IPsec with
IKE, on the other hand, is a password specifically for the VPN and shared by all
remote users. However, Xauth, a supplemental method of authentication
entered after the preshared key, can rely on existing domain credentials.
As in wireless zones, you should assume that any data passed into the remote
zone can be intercepted. Choose an encryption algorithm accordingly: use
AES whenever possible.
Endpoint Integrity. Testing endpoint integrity is particularly important in
the remote zone: it may be the only control you have over the endpoints that
access your network.
Because the remote zone connects to the private network at a single choke
point—the VPN gateway—the inline deployment method is typically your best
option. With the inline deployment method, the NAC 800 is placed between
the VPN gateway and the switch that connects to the LAN.
Choose VPN Gateway and VPN Client. The VPN gateway can be a stand-
alone hardware appliance or functionality built into an infrastructure device
such as a router. Because the gateway is responsible for terminating a secure
tunnel to each remote endpoint, it must be powerful enough to encrypt and
decrypt all of the traffic.
If the VPN gateway is not built into the router that connects to the Internet,
you’ll need to plan where to deploy it. Generally, you should place the VPN
gateway as close to the router as possible.
Whether or not the gateway is a standalone device, you must consider one
more aspect of the design: do remote endpoints have IP addresses that
undergo Network Address Translation (NAT)? This is usually the case when
a remote endpoint is on another LAN, rather than a simple home connection.