Remote access - implementation choices

Authenticating Users

- Remote Access Client needs to support standards for talking to PKI Smartcards/tokens (PKCS#11, PCSC or CAPI) - VPN Device needs to be able to distinguish between your users and other users using the same Certificate Authority

Securing Traffic

- Network traffic needs to be encrypted using either 3DES or AES encryption. Most existing systems support this.

Support/Upgrade Issues

- When you make any changes they need to backward compatible - with users distributed, staggered roll-outs or upgrades are the only way.

Network Address Translation Issues

- IPSEC Traffic does not work from behind most firewalls or devices that perform NAT. (e.g. DSL Routers, Hotel broadband) - Remote Access Client and Remote Access Server need to support NAT-T or similar protocols to seamlessly traverse such devices