VPN Survey Results
DBlake at cts.UCLA.EDU
Fri May 2 20:55:13 GMT 2003
In early April, I sent a survey to the mailing list regarding use of VPN to support remote access and wireless laptop and PDA
users. I received 13 responses and I've compiled the results below. I hope that the members of the list will find the information useful. Many thanks to all who responded.
UCLA Communications Technology Services
(310) 206-9012 fax
dblake at cts.ucla.edu
1. Do you have a data wireless network operating on your campus? Yes 11 No 2
2. Do you use VPN to secure access through the data wireless network? Yes 8 No 5
3. If not, what do you use to secure your wireless network?
--Currently use VPN, but by beginning of fall, we are planning to use an authentication gateway device instead.
--Vernier boxes which enable (but don't enforce) secure access. The initial login is SSL and from there the user can choose to use ssh or a VPN. It is possible (but we aren't using it) to terminate an IPSEC VPN tunnel at the Vernier box although that only protects over the air. Current Timestep platform is being replaced because discontinued. Likely to choose Cisco because of software clients for Macs
--Most of our wireless networks are policy routed to one of our campus firewalls. Users must first authenticate to the firewall prior to connecting to anything off the wireless subnet.
--"Critical Hosts" can no longer use unencrypted password authentication, such as kerberos 5 and ssh and ssl/tls. This is for *any* network use. Planning underway to implement VPN.
--SSL for Web access
4. If so, what make and model of VPN do you use? Is it fully redundant?
--Cisco 3030, not redundant. Wireless is a convenience layer, not a must have.
--Cisco 3060 with 4 SEPs
--Cisco 5008 with a small 3000 series to support PDAs; not redundant. Going to a 30xx soon
--Nortel Contivity Extranet Switch 2700. We use 3 for manual redundancy and load balancing for internet, and 2 for wireless. --Cisco 3060 with redundant power supplies and encryption modules. Second box in VRRP mode, to take over if the primary box fails. The two boxes don't maintain state information, so if the first box fails, all existing connections drop.
--Home-brew solution called a "roamnode": a Linux-based router that provides secure wireless and wired roaming (including layer-3 roaming) as well as remote access via VPN. Nearly full redundancy.
--Cisco VPN3030 non redundant, that is it has two power supplies but not backup processors. We have two that back each other up.
5. What authentication protocols does your VPN support?
--Cisco 3030: All
--Cisco 3060: RADIUS backended in to campus kerberos (v5) deployment
--Cisco 5008: RADIUS server that speaks with campus kerberos
--Nortel Contivity: LDAP, RADIUS, internal database, tacacs/+, nt domain, kerberos
--Cisco 3060: IPSec with pre-shared secrets, and Xauth against a RADIUS server. Wireless AP's are on their own subnet/vlan isolated from the rest of campus via a firewall. We prefer wireless users to use a VPN client to go through the firewall, but if an obscure client OS is used that won't allow VPN access, they can authenticate with the firewall via https.
--MS-Chap-v2 between client and NAS (roamnode); RADIUS between NAS and user database.
--Cisco 3030: RADIUS
6. Can PDAs be used on your VPN? If so, which PDA clients do you use? Yes 6 No 7
--Not much interest (2)
--Planning to support Windows CE .Net and Linux based devices in the near future.
7. Do remote users use your central VPN gateway to get to their departmental networks? Yes 8 No 5
--We have 2 VPNs, one for wireless and one for wired.
--On a case by case basis. Initially got concentrator to 'fix' connections broken by blocking netBios at border.
--Not at present although such a service is planned
8. If so, do you provide specialized VPN access to make it appear to remote users that they are accessing a standalone department VPN?
Yes 1 No 11
--On exception basis only will put department in a group-specific DHCP pool.
--Takes a fair amount of support overhead and few willing to fund added cost of this mode.
--More likely to tunnel users through the border to provide home access for Microsoft desktops. Various system administrators will use VPN access in to central machine room.
--Citrix metaframe for some purposes, ACLs for others
--Set up a separate address pool for one department on our VPN, so that they could set up departmental security filters based on IP address.
--Provide access to several different networks. However, most are happy with just a "generic" style service.
9. How many individual users access your VPN at peak? How many connections are sourced from internal networks? How many from external networks?
--300 individual users
--30 individual users; 85 internal, 1 external
--60-80 internal, 20-30 external
--Hundreds internally; small number of system administrators from external sites
--350 individual users plus 24 branch offices; 30 on wireless; no internal users
--About 100 individual users
--Use split 50/50 internal and external
--VPN supports University Housing, so no connections from external networks
10. How many simultaneous sessions is your VPN handling at peak per day? What is your peak bandwidth?
--Way under what it can handle.
--60-80 simultaneous sessions
--About 375 sessions. Peak bandwidth is about 9MBps
--VPN has 100Mbps fdx connections.
--30 simultaneous users; peak bandwidth 10 Mb
--About 60 simultaneous sessions. Bandwidth peaks up to 4 Mb
11. Do you have access criteria in place to limit access or timeout sessions? Yes 5 No 8
Comments (if Yes):
--2 hour access limit
--ACLs and 15 minute idle timeout
--Off campus: 24 hour access duration and 30 minute idle timeout; On campus: 24 hour duration and 3 hour idle timeout
12. Do departments on your campus provide their own VPNs? Yes 9 No 4
--Departments not officially sanctioned to do so.
--Departments are free to set up their own VPN for secure access to a local machine, but most do not.
--Somewhat. Med school recently purchased a Cisco VPN that central IT manages for them. The VPN is used to connect remote medical offices to our campus network.
--A few departments have done so, some for legitimate reasons, some not
--Yes, in VERY small numbers. Evaluation team will recommend VPN solutions and make recommendations to campus.
--Discourage departments from doing so
13. If so, do you allow them to tunnel through your wireless network? Using which protocols? Yes 8 No 5
--Everything on our wireless has to terminate on our VPN server. Do allow IPSec to bypass campus firewall rules.
--Yes, as long as it is IP and they authenticate to the Vernier box , though it hasn't been done
--They can VPN across our wireless. We do not filter it.
14. Has your institution defined campuswide standards for departmental VPNs? If so, please provide the URL for access to your standards document.
More information about the unisog