[VPN] VPN layout question

Daniel Linder dan at linder.org
Wed Oct 27 09:52:49 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


<quote who="Chris Dahms">
> I work for a small doctors office that has three locations across long
> island and we are looking to overhaul our network connection in
> conjunction with upgrading our practice management software. Currently
> we have a 'vpn' of sorts setup by point to point frame relay from two of
> the offices to the main office. The hardware 8+ years old and failing,
> so we need to replace everything.

...snip...

> The network consultants we contract with are recommending point to point
> t1's from each smaller office to the main office with the network
> server, and then having each office have a seperate t1 for an internet
> connection, in addition to the dsl failover. When I asked about the
> design I had in mind, they replied it was unsecure/unreliable but failed
> to explain why.

It sound like you're technical enough that the consultants should have
tried to explain their concerns to you.  It might be more of a question of
*their* experience level with the solution you are requesting.  And, I
wouldn't put it past some consulting firms that have a vested interest in
a higher priced P2P T1 solution if they are a potential reseller of those
same T1 lines.

> My question is: is the network toplogy I have in mind feasible/reliable,
> or do we need point to point internet connections between the offices to
> establish the vpn ?

Where your company is in the field of medicine, the consultants concerns
might have been about the possible risk of having a mis-configured VPN
device allowing unencrypted customer medical data to traverse the
Internet.  (With the HIPPA regulations they could be worried about any
leagle recourse should something happen and the finger pointing get back
to them...but I digress)

Technically, an encrypted VPN connection itself is more secure than a
private P2P or FrameRelay network by definition.

Unfortunatly, in the average non-technical persons mind, a private network
is viewed as more secure since the data will presumably stay on a single
carrier (probably never leave the state) and that one carriers employees
are probably trustworthy with your data.  To that same non-technical
person, the VPN over the Internet could be handled by multiple providers
and possibly have your data routed through multiple middle-man carriers,
any one of which hold the (encrypted) data throughout its path.

Basically the VPN vs private network boil down to a risk analysis.  Either...
A: If you have solid practices for security and network growth, then a VPN
is a perfectly safe and secure solution for you.  It will be cost
effective if you add more sites, but the network technicians need to be
dilligent in their network changes -- a mis-typed ACL could send out
un-encrypted traffic.
B: If you don't trust yourself or the people taking care of your network
to be dillignet in the configuration and maintenance of your network, then
the Private network would be a logical choice.  It will probably cost more
to add more sites, but there is a physical disconnect between the device
handling the sensitive data and the device handling the Internet traffic.

Dan

- - - - -
"I do not fear computer,
I fear the lack of them."
 -- Isaac Asimov

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBf6gxNiBNyqUzGb8RAg4bAJ97C3Hyj0mfR2ipIex6I12Zl4gG3ACdELlS
fCsxC1q8hpc0WT7fWPzQBCc=
=/wFD
-----END PGP SIGNATURE-----



More information about the VPN mailing list