CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Design Guidelines for Remote-User Networks

The four design options that are available within the remote-user network design model are discussed in depth in this section. For all four options, virus-scanning software is recommended to mitigate the threat of viruses and Trojan-horse programs being able to infect the user's PC.

Remote-Site Firewall

In the remote-site firewall option, the design emphasis is on the home-office worker or a small branch office. It is assumed that Internet connectivity is provided via an ISP-supplied broadband access device, such as an xDSL or cable modem, and that the VPN firewall is located behind this ISP device.

Apart from providing connection-state enforcement and detailed filtering for sessions that are initiated through the firewall, the firewall also provides secure IPSec connectivity between the firewall device itself and the VPN-enabled headend device. This site-to-site IPSec VPN enables PCs that are located on the remote-site network to access corporate resources without the need of individual VPN software clients. (The Cisco VPN Client is discussed in depth in the section "Cisco VPN Client," later in the chapter.)

With a stateful firewall present in the model, it is possible for a remote site to have direct Internet access rather than having to rely on the corporate headend for access. If this option is used, the firewall requires a public IP address and the use of Network Address Translation (NAT) to allow multiple hosts behind the firewall to access the Internet. Also, because this firewall protects the LAN from the Internet, the use of a personal firewall on individual PCs may be deemed unnecessary. However, personal firewalls may be necessary for mobile users for whom additional protection is advantageous.

Regarding the IP addressing of the remote sites, if NAT is not used to communicate with the headend site, a hierarchal addressing scheme must be adopted to ensure that each remote site uses a unique network address range that is routable across the WAN. This hierarchal design also facilitates address summarization and permits remote-site intercommunications.

Control of access to the corporate network and the Internet is performed within the configuration of both the remote-site firewall and the VPN headend device at corporate headquarters. This mechanism is transparent to the remote-site users, and after these devices authenticate and the LAN-to-LAN VPN is established, individual users do not need to perform any form of user authentication to access the corporate network.

Finally, the management of the remote-site firewall can be administered either locally, if the skills are present and the security policy permits, or, more likely, remotely through the use of a dedicated IPSec VPN. This VPN connection terminates directly onto the public interface of the firewall and then back to the corporate headquarters and permits a centralized control of the remote firewall. The VPN connection also ensures that remote users are unable to alter the remote-site firewall's configuration.

Remote-Site Router

The remote-site router option is very similar to the remote-site firewall option discussed in the previous section, with two notable differences.

First, because the router is a full-featured VPN router, advanced applications, such as QoS and stateful firewall, can be supported. Second, if permitted by the ISP, the option is available to integrate the functionality of both the VPN firewall and broadband access devices into a single device.

VPN Hardware Client

The VPN hardware client option is also nearly identical to the remote-site firewall option previously discussed, with the exception that the VPN hardware client does not have a resident stateful firewall. Consequently, this option requires the use of a personal firewall on each individual host that is located behind the VPN hardware client. The use of a personal firewall is even more paramount if split tunneling is enabled, because without the use of a personal firewall, the individual hosts behind the VPN hardware client are protected only by NAT. If split tunneling is not used, a personal firewall may not be necessary on the individual hosts.

Access to the corporate network and the Internet is controlled centrally from the headquarters location. The VPN hardware client undergoes device authentication with the VPN headend device using a predetermined authentication mechanism. After being authenticated, a security policy is "pushed" to the VPN hardware client from the headend VPN device. This policy defines the operational characteristics of the client. The VPN hardware client is capable of operating in one of two modes:

• Client mode
  All users behind the hardware client appear as a single user on the corporate intranet via the use of NAT overload or what is also commonly called Port Address Translation (PAT).

• Network extension mode
  All devices access the corporate intranet as if they were directly connected to it, and hosts in the intranet may initiate connections to the hosts behind the hardware client after the tunnel is established.

From a management aspect, client mode is simpler to manage and, hence, is more scalable than network extension mode. However, network extension mode provides more versatility. The modes are equally secure.

Finally, the management of the VPN hardware client device itself can be administered either locally, if the skills are present and the security policy permits, or, more likely, centrally from the corporate headquarters using a Secure Sockets Layer (SSL) connection.

Cisco VPN Client

In the Cisco VPN Client option, the design emphasis is on the mobile or home-office worker. In this model, it is assumed that the user has the Cisco VPN Client installed on his PC, and Internet connectivity is provided from either an ISP dial-up connection or via the LAN.