In this section, Acme, Inc. has to decide how, out of all the available options, to handle the following:
Two primary decisions based on Acme's business model and costs drive further decision-making. Internet access is integral to Acme's operation, both for customer intimacy in terms of delivering service and for customers to place orders. As such, Acme decides that Internet access is mission-critical and needs to be directly under the enterprise's control, with resources immediately available to resolve issues and plan business continuity. Outsourcing this to a third party and relying on SLAs to ensure Internet access service is untenable at this stage. The second decision is to use an outsourced model for dial access. This is based purely on the cost benefits of doing so, both in terms of avoiding the purchase and maintenance of RAS devices and eliminating costly 800-number toll charges. The model is that a provider will offer access to its public dial access numbers, offering widespread access to local phone numbers in most regions. Client software on user hosts will dial those local access numbers and be authenticated via the shared L2TP procedures described in this chapter. Once access to the provider's public Internet has been given, the IPsec VPN client is initiated on the user host to the nearest IPsec termination device on the Acme network for access to the intranet. Several IPsec concentrators are located around the globe for remote-access users to connect to. This model is also used for cable and DSL subscribers, providing a uniform access model regardless of remote-access media. As such, the option to have the provider deliver DSL or cable users into the corporate VRF was not selected. The next issues to consider are Internet access and connecting off-net sites. Given that Acme has elected to maintain its own Internet connections, it does not make sense to also provide Internet access as part of the provider-provisioned VPN. The access is already part of the intranet. For off-net sites, a DMVPN solution has been chosen. The remote sites connect directly to the main network's Internet connections to improve the operation of VoIP solutions. The open question is the use of split tunneling for the remote-access users and off-net sites. Acme has a set of criteria that define under what conditions the use of split tunneling is acceptable. The result of observing these conditions is that split tunneling is not configured for dial users, whereas it may be configured for off-net sites that have a hardware IPsec VPN client. These conditions can be summarized as follows:
With these caveats, split tunneling benefits can be realized in a limited fashion on the Acme network while still maintaining adequate security. |