Bay Networks Baystream 7 Instrukcja Użytkownika Pobierz pdf (Strona 9)

Security

The second key issue in deploying or imple-

menting Dial VPN access is network security,

i.e.,allowing remote dial-up connectivity

while protecting corporate information

from inadvertent (or unauthorized) access

or eavesdropping.For most VPN services

implemented with Layer 2 tunneling, the

tunnel is terminated at the customer

premise.This presents potential security

issues for customers.The customer’s CPE is

within reach of both unauthorized users

and viruses via their Internet connection.

In some network designs,tunnels are termi-

nated behind customer firewalls.Certain

types of IP tunneling require customers to

connect directly to the Internet which can

pose a security risk to the customer.To pro-

tect their networks from unauthorized users,

many corporate customers erect firewalls

behind their Internet routers.This restricts

access from the Internet to resources such

as the corporateWeb server. When using

IP tunneling,the device terminating the

tunnels either needs to be in front of the

firewall,allowing access from the Internet

to a device that has access to secure,

corporate resources,or behind the firewall.If

the device is behind the firewall,the firewall

must be open to allow tunneled packets

through to the devices that will unwrap

them.There are ways around this,however

they make the process of configuring the

firewall complex.Also,not all firewalls can

effectively handle traffic that isn’t terminated

in the firewall.

Certain implementations of Dial VPN service

based on Layer 3 tunneling are inherently

more secure than services based on Layer

2 tunneling because with Layer 3 tunneling,

the tunnel need not reach into the custo m e r

network.Instead,the tunnel may be termi-

nated at the service provider’s gateway.The

Internet connection is then made only to a

Frame Relay device.

Network Management

and Administration

Last but not least is the need for network

management and administration.Two key

needs in managing a Dial VPN are Network

Layer Address Management (NLAM) and

tunnel management.Tunnel management

refers to the external software application

used to setup tunnels to maintain subscri be r

information,and to perform subscriber-level

billing and accounting.Traditional network

management functionality such as perfor-

mance monitoring is required to manage

a Dial VPN just as it is required for any other

network or network service.The focus of

this section is not network management

in general.Instead,it raises the key issues

related to effectively managing Dial VPNs.

Network Layer Address Management

Ne two rk Layer Ad d ress Ma n a g e m e nt (N LA M )

refers to the capabilities found within the

architecture of a Dial VPN that handle tasks

such as network layer address assignment

for remote nodes,other network layer pro-

tocol-related configuration (filters,routing

protocols,subnet masks, etc.), and domain

registration. A VPN architecture with the

proper capabilities should support the

following:Remote Authentication Dial-In

User Services (RADIUS,with the correct set

of vendor extensions), Dynamic Host

Control Protocol (DHCP or a functional

equivalent),and Domain Name Services

(DNS).RADIUS is not only required for

authentication of users,but should also be

the mechanism used to perform some, or

even all,of the network layer configuration

information.DHCP can be used in conjunc-

tion with RADIUS to pick remote node

addresses from an address pool and assign

them to a dial-in user.Clearly,this method

will be more scalable than manual configu-

ration of addresses within a RADIUS data-

base.It is important to note that the system

for managing Layer 3 addresses must be

“stateful,”meaning that once sessions are

disconnected,addresses must be returned

to the address pool associated with that

user’s domain.

Note the term“network layer”address

management,as opposed to the term“IP

address management”. Since many corpo-

rations are still using protocols such as IPX

and AppleTalk,it is important that address

management services exist for these proto-

cols as well as for IP.Unfortunately,there are

not many standards that address non-IP

address pooling,so products supporting IPX

or AppleTalk address management for

remote nodes are scarce.

8 White Paper Understanding and Implementing Dial VPN Services

1 2 3 4 5 6 7 8 9 10 11 12 13 14 ... 18 19

Komentarze do niniejszej Instrukcji

Brak uwag

Bay Networks Baystream 7 Instrukcja Użytkownika Strona 9

Komentarze do niniejszej Instrukcji

Powiązane produkty i podręczniki dla Oprogramowanie Bay Networks Baystream 7