VPN+-+Security+Policy


 * Security Policy**

In the extranet case, for example, a virtual private networking policy regulates authentication and authorization. Authorization should be based on generic roles that are defined by participating enterprise. (These roles should be mapped to individuals in the participating enterprises.) The generic role should have basic privileges including network access and web server access to the stock levels of the suppliers’ products. These roles should then be mapped to a defined set of data and enforced through VPN. Extranet policy should be incorporated in a statement of understanding among the involved users.

The virtual private networking remote-access policy should not differ radically from the already established remote-access policy. Key differences from traditional remote-access policy can include an “acceptable use” for access to the Internet, where applicable. Just as any Internet-based access should also have two-factor, token-based authentication in place, the policy should include a statement about how these tokens can be used most securely.

Back