May 10, 2001, 2:16 PM — VPNs provide an alternative to expensive WAN links, but with this alternative come a variety of issues surrounding security, such as authentication and authorization, synchronizing VPN appliance client databases, and centralizing client administration as the VPN network grows.
For a midsized firm, utilizing an authentication database embedded in VPN switches is the most common and easily implemented method for validating clients. This technique works well in a limited environment, but problems arise with synchronizing the embedded databases across multiple appliances as a VPN grows. The synchronization process is conducted manually and becomes an administrative nightmare as users change passwords, which should be occurring every 30 days.
One solution to the synchronization issue is to use a centralized client administration method, such as Remote Authentication Dial-In User Services (RADIUS). RADIUS coordinates authentication and authorization information between the VPN appliance and an authentication and authorization server. Utilizing a centralized RADIUS database server for client administration has numerous benefits, including the elimination of the need to manually synchronize VPN devices. Implementing RADIUS greatly simplifies administrative tasks and reduces the requirement for multiple device updates each time a new client or device change occurs. Implementing a RADIUS server should not require any changes or modifications to a firms existing network infrastructure.
Users need to be aware of a few issues with implementing RADIUS servers in their VPN infrastructure. There are a few areas of the RADIUS protocol that are not standardized among vendors. One of these is associated with access-attribute values, the portion of the protocol associated with users ability to update their passwords from VPN client software. Utilizing VPN platform and server devices from different vendors has the potential to create choke points within a VPN. To avoid this problem, confirm that the VPN appliance and RADIUS server are, in fact, compatible. This is one area where purchasing both devices from the same vendor is a sound business decision.
Another potential problem is utilizing a VPN switchs internal client database for administrators, and an external RADIUS server for VPN clients. The VPN switchs user database needs to be backed up regularly, and this is a manual function. Because logons must be blocked during the back-up process, they may not occur as regularly as necessary and must be done during off-hour support.