Re: The VPN question

[Jeff Kell <jeff-kell () UTC EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
On 6/30/2011 8:11 AM, Julian Y Koh wrote:
> On Thu Jun 30 07:01:57 2011 Central Time, "Bradley, Stephen W. Mr."
<bradlesw () MUOHIO EDU> wrote:
> > I have a question about the your VPNs. Why so many roles?
>
> Our traditional (aka IPSec, PPTP, L2TP/IPSec) VPN service is our general-purpose remote
access VPN for anyone at the University. There's no split tunneling on that service, and
all users are placed in a large /21 address pool.
> 4+ years ago, we rolled out the SSL VPN specifically targeted at sysadmins, external
vendors/consultants/collaborators, and users of sensitive applications/data so that we
we could provide customized access rules for those different user groups. This allows us
to give out specific IPs for different groups, which makes firewall rules much tighter.
We can also do endpoint security compliance for groups that request it.
 
I'm in the process of redoing our VPN access.  The legacy VPN is Cisco client / IPsec,
with three basic roles (net admins, sys admins, business users) leftover from legacy.
 
Our new network is VRF-based (we have been dividing things up and moving away from
legacy for the past few years, a major ordeal).  I've at least prototyped several VPN
roles that land the user in specific VRFs first and foremost, and further drops them
into a role-based subnet similar to the campus wired scheme.
 
There is growing demand for more "casual" VPN, and I'm looking at client-less Windows
L2TP connections with AD/LDAP authentication.  Still looking, mind you :)
 
We will likely keep the IPsec / client scheme for any "privileged" roles (you must have
a client and must have a profile and/or certificate to get in), but hoping the casual
fit will work out for more general use.  There is always the AnyConnect and/or SSL VPN
option, but those cost real $$ per seat.  They do however have some direct support for
mobile devices, which are probably another discussion entirely.  While it may be
possible to reboot a server over VPN from an iPhone, I'm not sure that is a desirable
option from a security standpoint :)
 
Jeff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iEYEARECAAYFAk4MbawACgkQiwXJq373XhbmAQCfQdQEDLH3n6FBZYLOjQJtBbsI
YDwAoOfKuk2qBv8hqrfyJ+HWTO0vn7WP
=H8F2
-----END PGP SIGNATURE-----