New VPN Installation

Stephen Hope shope at ENERGIS-EIS.CO.UK
Wed Jan 10 17:01:36 EST 2001


Randy

A lot of networking and computing in general works with this set of general
guidelines:


(these rules are paraphrased from my standard "reality check" for ISDN and
RAS networks)

1. if you dont know what you are doing, then buy from someone who does, or
invest time/money/high fail rate to do it yourself (i know this is
obvious...)- DIY does mean you come out the other end understanding the
stuff a lot better, or prove you are very lucky - either is worth having!

2. simplify everything.
1 standard method.
1 manufacturer.
1 type of kit, preferably 1 model.
1 protocol suite.
1 ISP (or you will never isolate a WAN problem and connect it to an fault
owner, never get an SLA).
only simple mixes of simple apps (if you can) - ie. mail, WWW - Citrix or
similar can logically take complications away for the VPN and isolate them
at the central site.
Avoid any complications (real time stuff such as VoIP is a real pain in the
VPN).
for a small network shared secrets are probably simpler than PKI, but other
would agrue with that (NB - PKI means you depend on an outside service to
operate the VPN).

3. Pick kit you are comfortable with, i.e. that you know, or you know the
company, or uses platforms you know, or that uses protocols you know.
I like cisco PIX firewalls, but i know the kit so i am biased......These
would also provide firewall protection to the Internet if you need that.

4. Test it before you need it to work! - understand the performance, check
big and small packets. Soak it so that when connections fall over after 8
hours or a few days you know about it. Prove your apps work over it, and
that when someone complains it is too slow you have an answer.
If you can keep the test setup permanently for future checks it will pay off
in the long run.

5. Break it yourself so you have some idea of how things will go wrong.
Note that the encryption and other security components of a VPN make it
harder to troubleshoot than a conventional WAN.

6. provide management tools if you can. A good user interface can make life
a lot easier, but check it understands adding new sites, kit swap out after
a failure etc.

7. check out support, get an appropriate agreement set up - you will need
help initially, but if it becomes a critical network you will probably want
maintenance, s/w updates etc.

8. make sure you put "enough" resilience in place - again a critical network
may need ISDN backup or something.... Internet links are not that reliable
sometimes.

9. keep the scope simple, or if you are going to complicate it, do it in
logical stages. In this case, do 3 sites first, then evaluate what you have.
Leave RAS or other add ons to later. Keep the sites relatively close if you
can to reduce initial start up logistics.

9. And finally - should it be a VPN? (i prefer Frame relay, but it will
probably cost more). should you buy a service rather than build it (less
expertise, someone else to set it up and look after it, more money long term
on the fees, but probably less capital up front).

And this is just paranoia 101.....

In practise, you always break some of these rules for good reasons, but the
principle is everything as simple as you can, but no simpler.

I suggest you build a test setup on a bench before anything else- 3 sites
rather than 2 to catch all the problems with things that only work for 1
connection.



Good luck - they dont call this the "bleeding edge" for nothing.

Stephen

Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk,
Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk
Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
Tel: +44 (0)161 776 4190 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776
4189


> -----Original Message-----
> From: Randy Burgess [mailto:celusil at WWA.COM]
> Sent: Wednesday, January 10, 2001 5:00 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: New VPN Installation
>
>
> Greetings All.
>
> I am a new member of the list, I have been in IT management for @15
> years
>
> I have read the Faq and some of the How to's on the web page and I'm
> still swimming a little bit.  I think I understand some of the basics
> but actually getting started seems difficult for me.
>
> I have a March 1st deadline for VPN connectivity to corporate
> from @15+
> buildings (3-10 users per building) There are also remote user
> possibilities.
>
> We have an agreement for T1 lines to the internet for almost
> all of the
> buildings and a couple will use DSL.
>
> My firm has a very strong bottom line ethic they absolutely want the
> cheapest.  Me, I want the easiest.
>
> After reading stuff here and elswhere, I don't think I can leap into
> Linux - I know nothing about it. A hardware solutions seems to be the
> easiest.  I have spoken to one consulting firm, however they
> apparently
> aren't willing to buy the routers for me set them up and leave. They
> want a monthly per user per building fee.
>
> What I'm really looking for is a consulting company in
> Chicago that will
> help me implement the corporate side and teach me to implement the
> building side then go away.  (Anybody know someone like that?)
>
> Alternatively, I need a fast track learning solution so that
> I can do it
> myself.
>
> Questions for this group:
> 1. am I dreaming, is this not learnable in the amount of time given?
> 2. Is a monthly fee prettty standard even if your not leasing
> equipment
> or T1 lines?
> 3. Is this an inappropriate posting for the list?
>
> Randy Burgess
> celusil at wwa.com
>
> VPN is sponsored by SecurityFocus.COM
>

-----------------------------------------------------------------------------------------------------------

This email is confidential and intended solely for the use of the individual to
whom it is addressed. Any views or opinions presented are solely those of the
author and do not necessarily represent those of Energis Integration Services.
If you are not the intended recipient, be advised that you have received this
email in error and that any use, dissemination, forwarding, printing, or copying
of this email is strictly prohibited.

We have an anti-virus system installed on all our PC's and therefore any files
leaving us via e-mail will have been checked for known viruses.
Energis Integration Services accepts no responsibility once an e-mail
and any attachments leave us.

If you have received this email in error please notify Energis Integration Services Communications
IT department on +44 (0) 1494 476222..
-----------------------------------------------------------------------------------------------------------

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list