Re: The VPN question

["Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>]

Hi Jay,

Wow, that's a lot of user roles!

At Colorado State, we have the same set of technologies that you're talking about (a pair of Cisco ASAs and a pair of 
SA4000s which we're swapping out for SA4500s). We've been moving away from IPSec for remote access, encouraging 
everyone to go SSL (either through the web interface or using the full tunnel mode) unless they have some burning need 
for IPSec. I love the granularity of access control that I get with the Junipers, as well as the freedom from having to 
chase down installations of old client versions.

I'm surprised to hear to say that you're required to create separate roles for Pulse users. Is that something specific 
to the 6000 hardware? We've had the ability to mix and match for some time now, first using Network Connect and now its 
replacement (Pulse). We do have this capability enabled natively on some roles, though most people are actually 
conecting to a specific URL to enable mapping into a NetConnect/Pulse role, and that gets added to whatever other roles 
they get assigned based on who they are.

We've had good results with iOS devices using Pulse, including a surprisingly large number of iPads recently. In fact, 
at the last two conferences I've traveled to, my iPad got me through the day and my laptop never came out of its bag. 
We're hoping that upcoming versions of Pulse support VPN functionality for Android devices too, but support for the 
various flavors is more complicated both technically and contractually, I would imagine.

Hope that helps. If you have specific questions, I'd be happy to help; feel free to follow up off-list.

Steve


===================
Steven Lovaas
IT Security Manager
Colorado State University
steven.lovaas () colostate edu
970-297-3707
===================
________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Jay Graham 
[jwg+ () pitt edu]
Sent: Wednesday, June 29, 2011 3:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] The VPN question

Hello Folks,

Here at Pitt we are in the process of a few VPN projects.

We currently have an SSL VPN (Juniper SA6000s in a redundant config) and
are testing Cisco ASAs as our IPSec solution.

Background:

With our SA6000s we create roles to protected resources based on LDAP
groups and currently have over 300 roles. We are now implementing the
Pulse Client for this so that iOS and other platforms can use it to
access protected resources. With the SA6000s you need to create a
"seperate" Pulse role for these users. We are thinking of only creating
Pulse roles for people that request them rather than just duplicating
all 300 roles believing that not all users will need all roles from the
iPad (or other device). (We are not supporting Pulse for Windows or Mac
OSes yet, just for mobile devices)

The Question:
What are other schools doing for mobile device VPN solutions and how are
you giving users access to their roles?

Thanks in advance.
Jay Graham