|
VPN network authentication supports a very wide variety of
credentials. Dartmouth is currently using three versions: user name and
password; PKI software certificates stored on the user's computer; and PKI
certificates stored on eTokens. Two factor authentication using eTokens is
the most secure form of authentication of the three credential
types. Using a PKI software certificate stored on the user's computer is
much less secure, but is slightly better than using only a user name and
password.
Today, an internal authentication database is used in conjunction with two
external Radius servers. The internal database contains very limited
groups and supports software certificate authentication. One Radius server
is backed by the DND, and the other handles high assurance PKI certificates
stored on eTokens.
Systems connecting to the VPN have all of their traffic encrypted at Layer
3. Layer 3 encrypted traffic can be carried encrypted end-to-end, but in
our case, it is carried encrypted to Dartmouth's VPN Concentrators. This
generally provides protection for traffic through more of the network than
Layer 2 encryption (depending on the traffic flow and network topology), and
will certainly provide encryption from your laptop anywhere in the world, wired
or wireless, to the Dartmouth Machine Room located in Berry.
An IPSec VPN using eTokens and Sygate is the most secure and trusted form of
network access Dartmouth has available today. Dartmouth has deployed several
secured, trusted networks (e.g., in Human Resources and the International
Office) and will continue to deploy them as the need arises. Users who use
the VPN with eTokens will receive IP addresses within a specific range, thus
providing system administrators the opportunity to set up Access Control Lists
(ACLs) to limit access to only that IP address range.
|
