This chapter's objectives are to define the options and technical implementations for the various types of off-net access required by enterprises for typical virtual private network (VPN) deployments. Off-net is defined as connectivity by users who are not directly connected to the provider VPN service via a private and permanent connection. This includes remote access for users who are part of the corporate VPN (via both unencrypted access and encrypted access with IPsec), access from and to the Internet, and extranet connectivity. Several topics are covered in this chapter, as well as in Chapter 7, "Enterprise Security in an MPLS VPN Environment." IPsec and network security, for example, are often grouped. However, the split taken here places topics that relate to infrastructure security in Chapter 7 and topics that relate to security of packet payload in this chapter. This chapter details the various options you can select, from configuring separate remote-access servers to providing remote access as part of the provider-managed VPN service. Implementation considerations for IPsec and Internet traffic are detailed, along with the options selected for implementation as part of the ongoing Acme, Inc. case study. |