VPN Deployment Strategies: Evaluation Criteria

1
VPN Deployment Strategies Evaluation Criteria

• Paper by Keith Pasley,PGP Security
• Presentation by David Piscitello, Core Competence

2
What is a VPN?

• VPNs allow private information to be transferred
  securely across a public network
• An extension of the network perimeter
• Technical benefits if IPsec VPNs include
• reduced business operational costs,
• increased security of network access,
• in-transit data integrity,
• user and data authentication
• data confidentiality

3
IPsec VPN Applications

• Remote Access -
• Intranet -
• Extranet -
• Secure Internal Net -

• Most popular
• Probably easiest to control
• Hard to do effectively
• Government mandates will help increase usage
  

4
Secure Remote Access

• Business goalLower telecom costs, increase
  employee productivity
• Technical goalProvide secured same-as-LAN access
  to remote workers

Traveler at hotel, customer site or
Public TelephoneNetwork
Corporate office
Local modem call
IKE/IPsec SAs
Teleworker at home
RAS
5
Client Considerations

• Operating System support
• Client policy distribution and updates
• Client Software IPsec Security Gateway
  Interoperability
• Asserting access controls on sensitive data
• Protecting client SW, policy, tunnels from
  subversion
• Enabling collaborative applications (NetMeeting)
• Hardware and communications compatabilities

6
Evaluation CriteriaRemote Access VPN Client

• File/disk encryption required?
• Do encryption requirements demand high
  performance PCs, laptops?
• Desktop IDS and personal or distributed desktop
  firewall (central administration)
• Ability to lock down VPN client configuration
• Authenticated, confidential, and user transparent
  VPN client policy update
• Adherence to current industry VPN standards (if
  interoperability is required)

7
RAS Considerations

• The hardware point of tunnel aggregation
• Vertical scalability bigger/faster RAS
• VPN Server Load balancing
• High availability
• Encryption acceleration
• The software
• Task automation
• Logging/auditing/reporting/alerts
• Client software and policy export (push)
• Legacy authentication support
• PKI support interoperability

8
Evaluation CriteriaRemote Access (VPN) Server

• Vertical scalability and load balancing option?
• High availability option?
• Integration with user authentication systems?
• Hardware based encryption/decryption?
• What authentication types are supported?
• VPN server run on a hardened OS?
• Firewall integration? Client server side?
• Centralized client management features
• Client support for desktop OS?
• Support of industry VPN standards for
  interoperability?

9
Intranet VPN

• Business goal
• Reduced network infrastructure costs and
  increased information flow within an organization
  
• Technical goal
• Provide secured site-to-site access over any
  public, switched access service (IP, ATM, FR,
  DSL/Cable)

LAX
ATM, Frame Relay WAN
NYC
PHX
ATL
IKE/IPsec SAs
VPN security gateway
VPN security gateway
10
Evaluation Criteria Intranet VPNs

• Automatic policy distribution configuration
• Mesh topology automatic configuration, support
  for hub spoke topology
• Network and service monitoring capability
• Adherence to VPN standards if used in
  heterogeneous network
• Class of service support MPLS/DiffServ?
• Dynamic routing and tunnel setup capability
• Scalability and High-Availability

11
Extranet VPN

• Selective flow of information between business
  partners and customers
• Highly granular access control strong
  authentication
• User (client, customer) to company
• Secure Remote Access evaluation criteria applies
• Is client desktop outside your control?
• The SSL vs. IPsec? debate comes into play
• Company-to-company (e.g., ANX)
• Intranet VPN evaluation criteria applies
• Security gateway selection outside your control?

12
Evaluation Criteria Extranet VPN

• ADD to Remote Access VPN profile
• Strongest scalable mutual authentication
• Provision for rapid add/drop/change of users and
  credentials
• Finer granularity of access controls
• Minimally intrusive desktop software
• Minimally intrusive to normal application use
• ADD to Intranet VPN profile
• Cross-organizational service level monitoring,
  reporting and enforcement
• Cross-organizational administration
• ADD to BOTH
• Multi-party administration of Authentication

13
Secured Internal Network

• Business goal
• Protect organization from insider threats
• Technical goalS
• Isolate (compartmentalize) internal subnets by
  moving IPsec tunnel endpoints (close) to
  application servers
• Extend the VLAN concept geographically
  dispersed user group operates in client-server
  LAN environment, including mobile and teleworker
  employees

14
Evaluation Profile Secure Internal Network

• ADD to Intranet VPN profile
• Low impact to internal network performance
• Low impact on the internal network infrastructure
• Integration with preexisting network components
• ADD to Secure Remote Access profile
• Automatic differentiation between remote access
  and internal VPN policy can the VPN client auto
  adapt to internal/ external security policy
  changes?

15
Other Evaluation Criteria

• Where to place IPsec functionality?
• Access or segmenting Router
• Low cost entry point / routing performance
  suffers
• Internet or Interdepartmental Firewall?
• Reduced upfront cost / VPN tunnel scalability
  issue?
• VPN Appliance
• Best performance / Yet another component to
  manage
• In front of, behind, or in parallel with
  Firewall?
• Server switch or Server itself?
• Performance issue / Hardware encryption
• Performance
• Build or buy?

16
Summary

• Develop a strategy and set of criteria that
  matches the VPN application type that is needed
• Evaluation criteria should define exactly what is
  needed
• The Devil is in the details
• and
• The PAPER offers many more details!