Interoperability and Mixed versus Homogenous Device Deployments
Although IPSec is a documented standard, the Request for Comments (RFCs) that document it has left room for
interpretation. In addition, Internet drafts such as IKE mode-configuration and vendor-proprietary features increase the
likelihood of interoperability challenges. For instance, there is no standard mechanism for IPSec to determine tunnel up/down
state and remote peer reachability. For these reasons, you should check with vendors of both products for interoperability
information and their participation in interoperability bake-offs. Typically a few minor changes to configurations-and
sometimes-code-are necessary to facilitate interoperability in a reliable fashion. Realize, though, that these changes may
affect the security stance of the device, so be aware of the implications of these changes. Also, in order to ensure
interoperability between products from a single vendor, it is a best practice to use the same code base across all platforms.
This scenario will decrease the likelihood of any interoperability issues with products made by the same vendor as changes
are made over time to adhere to the standards and increase interoperability with other vendors.
Issues in addition to interoperability arise in environments where different device types are deployed to build a VPN. These
issues usually arise because of interaction between the VPN and other features that complement its operation. For instance,
consider the authentication, authorization, and accounting (AAA) protocol used to manage remote users and administrators.
The granularity of support for this protocol, say Terminal Access Controller Access Control System Plus (TACACS+) or
Remote Access Dial-In User Service (RADIUS), may differ among the device types. This difference can complicate matters if
your user database does not support one of these mechanisms across all the device types deployed. The mechanisms used for
IPSec high-availability and CA support differs for some routers, firewalls, concentrators, and remote-access clients. Finally,
consider the additional resources required to train administrators on how to configure, manage, monitor, and troubleshoot
multiple device types.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.