Many companies are contemplating the use of VPN versus authentication to applications via the web. The Miller Corporation is no different. Miller Corporation is a small organization with five sales representatives located throughout the United States. There are no remote offices available for the sales reps. Four of the five sales reps work exclusively from home or on the road. One of the sales reps has a work area in the corporate office but the majority of her time is spent on the road.

Jeff, the network administrator, configured remote access so that each user had a unique user ID/password combination for dial-in access to the network and unique user IDs and passwords for each application on the network. Passwords expired every 90 days. The sales representatives began reporting that this method was cumbersome and wanted to know if another solution was available.

Jeff decided to look into VPN access for the sales representatives. Jeff found that a VPN was the best option compared with web authentication and dial-in access because of the security that remote access virtual private networking provided. A remote access VPN would provide a secure connection between the sales reps’ computers and the corporate network. A remote access VPN would allow this secure communication over a wireless connection. The other solutions were not effective with this type of connection.

Jeff could manage remote access VPN configurations at a centralized location, rather than managing web authentication for each application. Implementing the remote access VPN would also increase the productivity of the sales reps because they would no longer need to log on to multiple resources, nor keep track of several passwords.

If Miller Corporation hired additional sales representatives, the VPN would scale better than any of the other options. Jeff could also seamlessly add a second level of authentication with the use of VPN, if needed. Jeff felt that a VPN solution was best for the sales representatives, and it would allow other employees to work remotely.

A major city government needed to ensure its departments were complying with appropriate remote access security policies and regulatory requirements. It also needed to better account for remote access usage of the citywide network by each department for budgeting purposes. The city’s chief information security officer (CISO) requested security metrics and usage data from each department. This data indicated system-wide remote access security lapses and weaknesses, and it was apparent that the departments were unable to provide accurate usage figures without going to great effort.

The CISO decided to employ security and auditing through the AAA framework. AAA provides the flexibility and scalability that is needed for the city to meet policy and regulatory requirements. While implementing the framework, access controls were added to every component of the city’s network infrastructure to meet authorization requirements. With the accounting component, administrators could more accurately report the resources each user consumed while using the network, and they could use the data for trend analysis and capacity planning. Implementing the authentication, authorization, and accounting components addressed current needs and future concerns.

An AAA framework is important for any organization that needs to standardize its practices based on security. It gives an organization a starting point and assists in future growth. It helps administrators understand what needs to be accomplished and why.

Kelly, a network administrator for a gas distribution company, needs to implement a secure dial-in infrastructure for a group of financial employees. She wants to ensure authentication, authorization, and accounting capabilities are provided. Kelly has winnowed her options down to two, TACACS+ and RADIUS, but is not sure which is better for her needs.

Kelly is concerned that TACACS+ is not an IETF standard. She feels comfortable with the notion that RADIUS has been standardized and; therefore, all vendors who support RADIUS will support this standardization. Kelly appreciates the scalability of the centralized authentication service that is offered with both systems. If the implementation proves successful, the technology may be rolled out to additional employees. However, she is concerned about using RADIUS in a large infrastructure because it uses UDP. Implementing TACACS+ will resolve this issue because TCP is used, but there is a lot of network overhead associated with TCP. If each request results in an acknowledgment, network traffic will increase.

Kelly’s main concern is encryption, however. Encrypting only the user’s password is a risk that Kelly does not want to take. The users employing this service are in the finance department, and Kelly feels that every data packet should be encrypted in its entirety for security reasons. Weighing all of the pros and cons of each solution, Kelly feels that the security of the company’s data is the most important concern. Therefore, Kelly decides to move forward with implementing TACACS+.