The Remote Access Conundrum - Part 2 - page 3

Integrating the back end
Most managed VPN services include client software and CPE. For example, with network-based L2F/L2TP services, AT&T supplies an access router. With edge-based services, AT&T provides both a router and an IPsec tunnel termination device.

With CPE VPNs, the trick is to simplify configuration in large-scale deployments, especially those with hundreds or thousands of remote users. Automating and centralizing policy management is one way to accomplish this. For example, AT&T uses both push and pull methods for security and end-user management at the dialer client. Security policies reside in a central Service Manager. For IPsec, policies must also be propagated to edge devices.

The Service Manager is also responsible for providing PPP authentication for L2TP and L2F services. When clients dial into the NAS, the NAS consults the Service Manager. The Service Manager authenticates each user by consulting a local data store or by proxying RADIUS to that customer's authentication server. This proxy also supports two-factor token authentication (e.g., SecurID). In addition, AT&T's managed PKI service went to trial last summer. "This service provides managed certificates for IPsec, integrated with our Service Manager," said Cohen. "We expect to see it generally available early next year."

Layer two tunnels are well suited for user-level authentication, but IPsec support varies by vendor. "Service Manager can support single-sign-on down to the host level when using L2TP and network-based services. IPsec authentication is different," said Cohen. "When our own IPsec edge device is used, we can provide this same granularity. When Nortel or Cisco (Altiga) edge devices are used, authentication is less granular."

Lessons to be learned
Providers hoping to enter the remote access VPN market can learn a thing or two from AT&T's experiences with layer two tunneling protocols. Our own recommendations:

• Most ISPs should bypass the older L2F, heading straight for standard L2TP. AT&T still offers L2F and even GRE tunneling, but L2TP has clearly emerged as the preferred layer two tunneling protocol.
• Compulsory L2TP can add value to (and generate demand for) a provider's transport services. As a network-based service, L2TP can be easier to deploy: little or no client software, network protocol-independent, and clean support for user-level authentication.
• Don't ignore the growing demand for IPsec. Providers that offer IPsec site-to-site will encounter customers seeking a consistent solution for remote access. Putting all your eggs in the L2TP basket won't satisfy these customers.
• Consider combining L2TP with IPsec for confidentiality. There's no denying that doing so adds overhead; the question is how much overhead, and is it worth it? Techniques like L2TP header compression and encapsulating multiple PPP frames within a single L2TP packet can reduce overhead in some cases. The right solution may depend upon packet length, bandwidth, and—of course—each customer's security requirements.
• Which brings us to perhaps the most important lesson to be learned from AT&T: when it comes to VPN, one size does not fit all.

—End

Back to page 1, page 2    

Related articles:
	The Remote Access Conundrum Series:
	[Jan. 5, 2000]	Part 1: Extended Authentication
	[Dec. 20, 2000]	Part 2: Tunneling at Layer Two
	[Feb. 8, 2001]	Part 3: Dynamic Addressing
	[Mar. 15, 2001]	Part 4: VPN Client Administration