VPN input

David Gillett dgillett at NIKU.COM
Tue Jun 13 16:18:15 EDT 2000 

John,
  I'd like to drill down a little on one particular point:

> My company's WAN is setup in a star configuration - all the branches vpn
to
> our corporate offices, ....

  Do you have cases where two remote locations need to exchange traffic?
I'm facing a particular issue with wanting to convey traffic A<->C by having
site B route packets between the A<->B tunnel and the B<->C tunnel, instead
of creating a low-volume A<->C tunnel.  I haven't found a way to make this
happen yet.

  I'm asking in response to your message because this is inherent in using a
star rather than a mesh configuration....

David Gillett
Enterprise Networking Services Manager, Niku Corp.
(650) 701-2702
"Transforming the Service Economy"



-----Original Message-----
From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Jon
Carnes
Sent: Tuesday, June 13, 2000 12:05 PM
To: VPN at SECURITYFOCUS.COM
Subject: Re: VPN input


I've done a lot with MS networking across VPN's and WAN's, both for the
company I work for, and as a contractor to other shops.

For a limited number of sites staying with MS for the VPN is okay.  However,
if you have a lot of sites, or don't want to actively maintain your sites,
and need really good security, then you should go with an out of box type of
solution from a good vendor.  Our company uses both MS-VPN and Linux
firewall/VPN's.

If you will be using DSL at each of the sites, they you may wish to consider
having the DSL provider setup a Corporate network for you.  The DSL provider
sets up access to each site, but the connection is a private one, running
behind a firewall at the providers site (not literally, but the effect is
the same).  Your corporate traffic *never* touches the internet.  It stays
locked on the DSL providers private network.   You still have access to the
internet, but you don't have to worry about setting up the vpn, the
firewalls, or the routers.

If you use MS for the VPN connection, it's best to use a separate firewall
at each site and run your VPN behind it, so look for a firewall solution
that allows you to pass PPTP and L2TP freely through it.  This assumes that
you are running a separate third party firewall, since the firewalling on NT
isn't very good - though I haven't played with the very latest MS release
due out in August.  Note: you can run your MS VPN in parallel to your
firewall, but since most firewalls pass PPTP and L2TP its better to keep
them behind the firewall.

You need to look at the amount of data you want to pass, and whether small
delays will effect the flow dramatically.

If you are logging into a database server across the vpn you may not be
happy with the small delays that can occur via the internet.  On the other
hand, if you are just moving documents around and playing with email, or if
you have a database server that can handle high latency, then VPN is for
you!

As a general rule for determining the highest transfer speed between any two
sites, I take the smaller of the two bandwidths and divide it by 2.  That's
a very rough estimate but works well in setting the expectations of a
client.

My company's WAN is setup in a star configuration - all the branches vpn to
our corporate offices, and the internet connection here is a T3.  The
smallest branch office connection is a shared T1 out of an office complex.
Several of our home users have better/faster connections via cable modems
and DSL.  Note: we make our home users run personal firewalls before
allowing them to attach to our Corporate network via vpn.

The key to making the WAN work effectively, is to have a WINS server at each
major location, as well as a BDC (Backup Domain Controller).  At a site with
less than 50 users, WINS can run effectively on the same machine as the BDC.
This assumes that you want everyone to be on the same Domain, which avoids a
lot of hassles with setting up trust relationships.  If your Domain grows
too large, you may want to consider something like NDS for NT.  Novell
Directory Services is quite valuable for managing large networks.

For DSL service, I'm partial to Speakeasy.net.  They do a very professional
job for a great rate. (And I don't get any money for saying that...).

Bringing a new site on is very easy:
   - Setup internet access at site
   - Load RRAS and PPTP onto server
   - Re-Load Service Pack 5 (or 6a) onto NT server
   - Attach to corporate network
   - Test network access from attached server
   - Add route to corporate network on remote router.  Add route to remote
site on corporate router.
   - Test network access from remote computer
   - Add BDC and WINS to remote network

Note: BDC, WINS, and RRAS can all be run on the same NT server, as long as
it has about 500Mb of RAM and is reasonably fast (P2-450 or better).  This
will work for up to about 50 average office users.  If the site grows to
more than 50 users (my rule of thumb), I would split the WINS off to another
machine.

If you have any specific questions, I would be happy to help.

Jon Carnes
MIS - HAHT Software
----- Original Message -----
From: "Phil W Klassen" <pklassen at JCPENNEY.COM>
To: <VPN at SECURITYFOCUS.COM>
Sent: Tuesday, June 13, 2000 7:27 AM
Subject: VPN input


> JCPenney is in the process of evaluating DSL service. I pretty much feel
> we need a VPN specific solution however JCPenney is a large MS shop, and
> as such they would like to leverage a MS WIN2K server at the remote end.
>
> Does anyone have any experience deploying MS solutions for VPN,
> inlcuding PPTP or L2TP and Routing and Remote Access ? if so any input
> into your experinces would be appreciated.
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list