Case Study Selections

Previous page
Table of content
Next page

In this section, Acme, Inc. has to decide how, out of all the available options, to handle the following:

  • Remote user access Does Acme own and operate its own RAS, use L2TP solutions, provide direct remote access over private infrastructure, or use the Internet?

  • Internet connections Does Acme maintain direct Internet access on one or more of its main sites or obtain Internet access as part of a VPN service?

  • User access to the Internet Is this provided as part of the VPN or kept separate?

  • Off-net sites How are they made part of the corporate network and given access to the Internet?

Two primary decisions based on Acme's business model and costs drive further decision-making. Internet access is integral to Acme's operation, both for customer intimacy in terms of delivering service and for customers to place orders. As such, Acme decides that Internet access is mission-critical and needs to be directly under the enterprise's control, with resources immediately available to resolve issues and plan business continuity. Outsourcing this to a third party and relying on SLAs to ensure Internet access service is untenable at this stage.

The second decision is to use an outsourced model for dial access. This is based purely on the cost benefits of doing so, both in terms of avoiding the purchase and maintenance of RAS devices and eliminating costly 800-number toll charges. The model is that a provider will offer access to its public dial access numbers, offering widespread access to local phone numbers in most regions. Client software on user hosts will dial those local access numbers and be authenticated via the shared L2TP procedures described in this chapter. Once access to the provider's public Internet has been given, the IPsec VPN client is initiated on the user host to the nearest IPsec termination device on the Acme network for access to the intranet. Several IPsec concentrators are located around the globe for remote-access users to connect to. This model is also used for cable and DSL subscribers, providing a uniform access model regardless of remote-access media. As such, the option to have the provider deliver DSL or cable users into the corporate VRF was not selected.

The next issues to consider are Internet access and connecting off-net sites. Given that Acme has elected to maintain its own Internet connections, it does not make sense to also provide Internet access as part of the provider-provisioned VPN. The access is already part of the intranet.

For off-net sites, a DMVPN solution has been chosen. The remote sites connect directly to the main network's Internet connections to improve the operation of VoIP solutions.

The open question is the use of split tunneling for the remote-access users and off-net sites. Acme has a set of criteria that define under what conditions the use of split tunneling is acceptable. The result of observing these conditions is that split tunneling is not configured for dial users, whereas it may be configured for off-net sites that have a hardware IPsec VPN client.

These conditions can be summarized as follows:

  • Split tunneling is enabled only for sites that have a hardware IPsec client between the host PCs and the Internet service. Any PCs that require just Internet access are to be placed on the Internet side of the hardware VPN client so that unsecured hosts do not have corporate intranet access.

  • A stateful, enforced, and permanent firewall capability must be enabled between the Internet connectivity and any hosts that have direct reachability to the ACME network. Cisco IOS Context-Based Access Control (CBAC) is acceptable for this requirement.

  • An Intrusion Detection System (IDS) capability must be implemented between the Internet connectivity and any hosts that have direct reachability to ACME network. This matter and other products are discussed further in Chapter 7.

  • There also are a number of operational issues to consider for IDS implementation. These include ensuring a very low percentage of "false alarms" and using configurable intrusion signatures that do not require system images to add new signatures.

With these caveats, split tunneling benefits can be realized in a limited fashion on the Acme network while still maintaining adequate security.



Previous page
Table of content
Next page
Selecting MPLS VPN Services
Selecting MPLS VPN Services
ISBN: 1587051915
EAN: 2147483647
Year: 2004
Pages: 136
Authors: Chris Lewis, Steve Pickavance
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Lotus Notes and Domino 6 Development (2nd Edition)
Software Configuration Management
VBScript Programmers Reference
Cisco Voice Gateways and Gatekeepers
InDesign Type: Professional Typography with Adobe InDesign CS2
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy