VPN Deployment Strategies: Evaluation Criteria - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

VPN Deployment Strategies: Evaluation Criteria

Description:

VPN Deployment Strategies: Evaluation Criteria. Paper by Keith Pasley, PGP Security. Presentation by David Piscitello, Core Competence. What is a VPN? ... – PowerPoint PPT presentation

Number of Views:141
Avg rating:3.0/5.0
Slides: 17
Provided by: davidpis
Category:

less

Transcript and Presenter's Notes

Title: VPN Deployment Strategies: Evaluation Criteria


1
VPN Deployment Strategies Evaluation Criteria
  • Paper by Keith Pasley,PGP Security
  • Presentation by David Piscitello, Core Competence

2
What is a VPN?
  • VPNs allow private information to be transferred
    securely across a public network
  • An extension of the network perimeter
  • Technical benefits if IPsec VPNs include
  • reduced business operational costs,
  • increased security of network access,
  • in-transit data integrity,
  • user and data authentication
  • data confidentiality

3
IPsec VPN Applications
  • Remote Access -
  • Intranet -
  • Extranet -
  • Secure Internal Net -
  • Most popular
  • Probably easiest to control
  • Hard to do effectively
  • Government mandates will help increase usage

4
Secure Remote Access
  • Business goalLower telecom costs, increase
    employee productivity
  • Technical goalProvide secured same-as-LAN access
    to remote workers

Traveler at hotel, customer site or
Public TelephoneNetwork
Corporate office
Local modem call
IKE/IPsec SAs
Teleworker at home
RAS
5
Client Considerations
  • Operating System support
  • Client policy distribution and updates
  • Client Software IPsec Security Gateway
    Interoperability
  • Asserting access controls on sensitive data
  • Protecting client SW, policy, tunnels from
    subversion
  • Enabling collaborative applications (NetMeeting)
  • Hardware and communications compatabilities

6
Evaluation CriteriaRemote Access VPN Client
  • File/disk encryption required?
  • Do encryption requirements demand high
    performance PCs, laptops?
  • Desktop IDS and personal or distributed desktop
    firewall (central administration)
  • Ability to lock down VPN client configuration
  • Authenticated, confidential, and user transparent
    VPN client policy update
  • Adherence to current industry VPN standards (if
    interoperability is required)

7
RAS Considerations
  • The hardware point of tunnel aggregation
  • Vertical scalability bigger/faster RAS
  • VPN Server Load balancing
  • High availability
  • Encryption acceleration
  • The software
  • Task automation
  • Logging/auditing/reporting/alerts
  • Client software and policy export (push)
  • Legacy authentication support
  • PKI support interoperability

8
Evaluation CriteriaRemote Access (VPN) Server
  • Vertical scalability and load balancing option?
  • High availability option?
  • Integration with user authentication systems?
  • Hardware based encryption/decryption?
  • What authentication types are supported?
  • VPN server run on a hardened OS?
  • Firewall integration? Client server side?
  • Centralized client management features
  • Client support for desktop OS?
  • Support of industry VPN standards for
    interoperability?

9
Intranet VPN
  • Business goal
  • Reduced network infrastructure costs and
    increased information flow within an organization
  • Technical goal
  • Provide secured site-to-site access over any
    public, switched access service (IP, ATM, FR,
    DSL/Cable)

LAX
ATM, Frame Relay WAN
NYC
PHX
ATL
IKE/IPsec SAs
VPN security gateway
VPN security gateway
10
Evaluation Criteria Intranet VPNs
  • Automatic policy distribution configuration
  • Mesh topology automatic configuration, support
    for hub spoke topology
  • Network and service monitoring capability
  • Adherence to VPN standards if used in
    heterogeneous network
  • Class of service support MPLS/DiffServ?
  • Dynamic routing and tunnel setup capability
  • Scalability and High-Availability

11
Extranet VPN
  • Selective flow of information between business
    partners and customers
  • Highly granular access control strong
    authentication
  • User (client, customer) to company
  • Secure Remote Access evaluation criteria applies
  • Is client desktop outside your control?
  • The SSL vs. IPsec? debate comes into play
  • Company-to-company (e.g., ANX)
  • Intranet VPN evaluation criteria applies
  • Security gateway selection outside your control?

12
Evaluation Criteria Extranet VPN
  • ADD to Remote Access VPN profile
  • Strongest scalable mutual authentication
  • Provision for rapid add/drop/change of users and
    credentials
  • Finer granularity of access controls
  • Minimally intrusive desktop software
  • Minimally intrusive to normal application use
  • ADD to Intranet VPN profile
  • Cross-organizational service level monitoring,
    reporting and enforcement
  • Cross-organizational administration
  • ADD to BOTH
  • Multi-party administration of Authentication

13
Secured Internal Network
  • Business goal
  • Protect organization from insider threats
  • Technical goalS
  • Isolate (compartmentalize) internal subnets by
    moving IPsec tunnel endpoints (close) to
    application servers
  • Extend the VLAN concept geographically
    dispersed user group operates in client-server
    LAN environment, including mobile and teleworker
    employees

14
Evaluation Profile Secure Internal Network
  • ADD to Intranet VPN profile
  • Low impact to internal network performance
  • Low impact on the internal network infrastructure
  • Integration with preexisting network components
  • ADD to Secure Remote Access profile
  • Automatic differentiation between remote access
    and internal VPN policy can the VPN client auto
    adapt to internal/ external security policy
    changes?

15
Other Evaluation Criteria
  • Where to place IPsec functionality?
  • Access or segmenting Router
  • Low cost entry point / routing performance
    suffers
  • Internet or Interdepartmental Firewall?
  • Reduced upfront cost / VPN tunnel scalability
    issue?
  • VPN Appliance
  • Best performance / Yet another component to
    manage
  • In front of, behind, or in parallel with
    Firewall?
  • Server switch or Server itself?
  • Performance issue / Hardware encryption
  • Performance
  • Build or buy?

16
Summary
  • Develop a strategy and set of criteria that
    matches the VPN application type that is needed
  • Evaluation criteria should define exactly what is
    needed
  • The Devil is in the details
  • and
  • The PAPER offers many more details!
Write a Comment
User Comments (0)
About PowerShow.com