| All Categories |
Primers
VPN, Firewall, Security ... |
Guides
HowTo, Choosing a VPN ... |
Reference
Articles, FAQs, Whitepapers ... |
Standards
Architectures, Protocols ... |
Downloads
VPN, Firewall, Security ... |
Products & Services
Hardware, Software, Services |
| Organizations |
Business
Market Research, Law ... |
| Forums |
News
Archive, Events, Newsletters ... |
|
|
| |
| VPN labs is an open community for researching, testing, reviewing, and discussing Virtual Private Networks. Get trusted, unbiased advice on just about everything related to VPN. For more detail check: How to use this site. VPN Labs - VIRTUAL PRIVATE NETWORKS - Free VPN Software and Virtual Private Network News. |
|
|
|
|
| Dr. VPNlabs Question (Archived) |
| Adam Safier |
posted: 2001-10-18 17:02:02
I'm tasked with designing and piloting a VPN for
100 users with options to expand to 10,000 and
65,000 users. My short list is Cisco, Check Point
and Nortel Contivity for the VPN
gateway.
My biggest problem is finding an
authentication server that will handle ldap
authentication requests (necessary for certs since
none of the above use EAP), and allow getting
initial user registration data from an NT 4.0, NDS
or RACF database. i.e. admin doesn't type it all
in but pops up a list of users already in one of
the databases and picks who to issue the cert to
and the record goes into the LDAP. Or something
that would take the LDAP call and query an NDS or
NT directory for the public cert. I'm not even
sure I can store the cert in the NT or NDS
directories.
Requirements:
1 - Strong
user authentication using smart cards and digital
certificates, with session key generation on the
smartcard.
2 - Use existing NDS, NT or
RACF user database during VPN user registration.
Possibly update NDS or NT with user public
key/cert when user cert is issued
3 -
secure link (Link encryption)
4 -
authenticate user or track user all the way to the
applications server (Mix of Citrix, NT, UNIX and
mainframe).
5 - detailed authorization.
They want to control user access to the database
field level. My take is remote acces gets you to
the server and the application authorizes detailed
access. But is there anything out there that can
take you to the detailed directory and field
level?
6 - $40,000 budget for 100 users,
including hardware. I have 2 old RSA Ace servers I
can use. If I get more servers I have to meet
company standards - $15,000 for an NT server
(Raid, 2 Gig RAM, etc.) I may be able to fight
this, use existing Check Point installations or
use VPN appliances to cut cost.
7 - Win
95/98/me, Win NT, Win2K clients.
Lots more
requirements but they are minor. Horrible
politics won't let me use Microsoft 2000 CA/Active
Directory/VPN.
If you can suggest an
authentication server it would be a great help.
RSA claims to do it with Keon and I'm about to
look at Funk Steel Belted Radius 3.0 Beta that may
also give me the LDAP/NT/NDS link.
Of
course a suggestion for a solution with field
control would be very welcome, even if it is not a
standard IPSec VPN. Indeed, it would be nice to
have an alternative technology to
compare.
Thanks,
Adam Safier |
|
