Home
Reviews
News
Features
Group Tests
Top 10
Forums
A-List
Downloads
Business
Lifestyle
Magazine
Popular Searches:
video
,
free
,
windows
Mobile Edition
|
Login
|
Register
|
Newsletters
|
Sitemap
|
RSS
Saturday November 28, 2009 1:07 AM AEST
PC Authority
>
Features
>
Advanced networking for small business
27
«
1 - Setting up Intel's Centrino Pro for the SMB
2 - Software versus hardware VPNs
3 - Common DNS pitfalls explained
4 - Choosing the right email infrastructure.
5 - Should you go Gigabit?
»
FEATURE
Advanced networking for small business
by
Steve Cassidy
on Sep 5, 2007
Tags:
Advanced
|
networking
|
for
|
small
|
business
|
router
|
switch
|
vpro
|
centrino
Related Articles
The PC Authority Acronym Dictionary
Top tips to save money on tech
The right network
Latest Features
3D coming to a screen near you
Top 10 amazing research projects
Laptop buyers guide: all you need to know to pick your perfect laptop
Is email wasting your day? The two-minute rule for Outlook, and other tips to feel like you've achieved something each day
Setting up a Virtual Private Network (VPN)
Why do so many network administrators trip over the humble VPN? Steve Cassidy goes in-depth.
The devil inside hardware VPNs
I can’t think of a single area of computing that’s as nasty as the VPN for wrong-footing well-intended technical managers. This lamentable state of affairs was highlighted recently by someone who asked the charmingly simple question: “Where do I look for materials to help me set up my first VPN?”. The standard answer is that many technical authority figures like to wield to avoid being bothered by troublesome newbies is “off with you, read the relevant design documents and all will be revealed”, thus condemning the unsuspecting implementer to burial beneath a documentation tonnage equivalent to around half-a-dozen PhD theses.
Most design documents that relate to establishing a robust VPN don’t concern themselves with finding a good supplier, getting the right Internet connection or diligently training your users. In fact, they’re all about the strengths and weaknesses of various encryption algorithms, and in-depth critiques of VPN technologies that lie just around the corner, which never deliver any verdict on what we have available today.
I can now spot these simple souls, honest tradesmen with a basic job to do, who’ve been forced to negotiate this nightmarish combat zone. I was once stopped by a senior man at one of my client’s offices and asked whether the VPN I’d just put in for him “used IPSec”, as if this were some brand of petrol he’d prefer to have in his car.
The multi-talented ‘firewall’
Let’s get this canard out of the way as quickly as possible – yes, the boxes that operate VPN tunnels between sites are also called “firewalls”, but there’s nothing about the other jobs a firewall can do that makes it inherently suitable as a builder of VPNs. It’s just that one particular gateway in every LAN tends to collect all traffic-related tasks, and firewalls tend not to be fully occupied by keeping people out, so they’ve naturally ended up as the place to do such work (with certain exceptions). No, it’s not obligatory that your web-traffic firewall must also be your VPN endpoint terminus firewall. No, a “personal firewall” software application doesn’t qualify, even though various software vendors have been striving to get into this business.
Hardware VPN components
So let’s look at your archetypal twin-site, twin-device VPN. What does it need to contain? Each endpoint – I’m going to use that term instead of “firewall” to focus on the VPN architectural aspect – has a collection of IP addresses, some that define its position inside your LAN and some that define its accessibility from the rest of the planet. Ideally, each location participating in a VPN would have a globally visible, static IP address, but this isn’t an ideal world and it’s quite likely that a standard consumer Internet access contract won’t give you one. Don’t try struggling with dynamic or unrouteable IP addresses at both endpoints of your VPN – that’s a recipe for disaster. Almost all the VPN projects I’ve set up (or rescued) required a change of ISP to get the services required to support the biggest endpoint job.
VPN configuration
Each endpoint also has a management interface, and the most common way to deliver this is via a little website that appears on the internal Ethernet port of the box in question. There are some boxes that are simpler and you set them up via Telnet; there are others that are more complex and build the configuration in a program running on your PC, then bulk-upload it to the endpoint box. Since these endpoints also act as firewalls, there are usually heavy limitations on these management interfaces. I won’t identify the client who bought some firewalls to make a VPN and sent them off to each branch still in their boxes, confident they could log in to configure them from their external interfaces across the net. Needless to say, if a firewall were to allow such access when it starts up, virginal and factory fresh, it would be compromised by malware in a matter of minutes.
Inside the management interface then, reached from a simple, clean PC located within your network, is where you set up the attributes of your new VPN. Astute readers will have spotted that if you set up the two endpoints fresh from their boxes, each one will start out with the same internal IP address, which means you inevitably have to change the IP address of each device while being logged into it at its old address. All endpoint devices and firewalls can cope with this perfectly well – you just have to be ready to change the IP address of the PC from which you’re accessing them to match, to remain within the subnet that the devices are prepared to converse with.
Once you have the same VPN parameters in both endpoints and you’ve configured the LAN and WAN sides of each device to match the LAN and WAN IP ranges in each site, you’re ready to ship one of the endpoint devices to the remote office that comprises the far end, and try your first baby steps to a two-location hardware VPN.
Software VPNs
On to my summary of software VPN network designs. This isn’t going to be simple a roll call of product designs, inventors, RFCs or IEEE standards subcommittee designations. We’re an awful long way from the cosy meeting rooms of those standards committees, stuck in a world in which the majority of home PCs already have a virus or trojan infection; where wireless networks that are alleged to be secured take five minutes to crack so long as traffic keeps moving through them; and where identity theft is rapidly becoming the most frequently encountered criminal intrusion into our lives. The global slowdown in passing through airports, plus what appears to be a steep increase in hotel-based working, has put pressure back on to implement software VPNs mounted on the user’s laptop, so let’s have a look at your options.
1. Software VPN client to hardware product
This is the method of choice for larger networks afflicted with roaming users. A dedicated gateway device receives connections across the Internet from machines set up with the matching software client, generally by the central networking support group of the big corporation in question. The methods of hand-shaking and authentication can be elaborate, verging on the paranoid. RADIUS is the buzzword here, which covers a whole universe of ways of verifying that the guy connecting from a software client really is “one of us”, and what the user sees happening at their end is nothing to the blitzkrieg of lookups, key exchanges, proxy configurations, licence checks, and access rights assignments that then ensue at the far end.
2. Software VPN client to software product
With most of these systems, the laptop user runs a small local utility that sets itself up with a local private Ethernet address and then makes a connection through the Internet (however that may be presented – wired, wireless or cellular) back to the office LAN. The actual difference is that the end point for that connection isn’t the firewall or router that forms the remote LAN’s border device: it’s actually a full remote server that runs the company’s normal server operating system, but with an extra service installed dedicated to the business of receiving calls from VPN clients. With the dedicated hardware option, it’s generally the case that one very smart gateway device handles all the work, but in this case the gateway simply hands traffic on to the server that then handles authenticating the remote user and spoofing their traffic, so that the rest of the LAN users think they’re talking to a local machine.
I hate this option, not because there’s anything wrong with the design in theory, but because of what actually happens in practice. This design is frequently chosen by middle-sized businesses, because their tech team doesn’t fancy scaling the learning curve of a dedicated hardware device, or because they’re religious about following the Microsoft One True Way. Most commonly, these guys look rather askance at the admittedly difficult-to-master Internet and firewall standards, and hence make use of as few features in their Internet gateway as they can get away with.
3. Software VPN client and single Small Business Server
Here, the notion that a server makes a good recipient for VPN traffic is pushed about as far as it’s possible to push it. In a small business, (which I’d define as fewer than ten machines, although some truly boggling design documents on Microsoft’s site punt numbers like 100), so the story runs, it’s best to have every single job the company needs running inside one box. So you have – take a deep breath now – DHCP, DNS, AD, SQL, Exchange, ISA (Proxy), VPN and AV (anti-virus), file and print, and quite possibly a stunning OpenGL 3G screensaver, all hammering away at once, with all the LAN’s users dependent on every single one of those services (except perhaps the screensaver).
In one way, I absolutely love this design philosophy, because without it I wouldn’t have nearly so many clients, poor wretches who’ve fallen foul of one or another of these dodgy assumptions. But at another, less cynical level, I think it’s completely awful.
None of this has yet got around to talking about actual VPN products. You can always say with some degree of truth that all VPN client software does the same job: it tunnels through the net to shake hands with the exposed address of the gateway. But there’s a good deal of usability testing that you’ll need to undertake before you plump for any specific product. Systems that work well at home don’t always work so well for genuine roaming users.
As I’ve mentioned in the past about hardware-mediated VPNs, so far nobody has come up with a VPN client that knows how to preserve the integrity of a file you’ve opened for editing remotely, without the protection afforded by Terminal Services or Citrix Metaframe. Beware the creeping budget-buster – that sudden, horrid realisation that your “remote working project” needs a whole new technology platform to actually operate safely, over and above a VPN pipeline and some laptops – which has scuppered many a hopeful project manager.
Copyright © 2009 Dennis Publishing
This article appeared in the
September 2007
issue of PC Authority.
«
1 - Setting up Intel's Centrino Pro for the SMB
2 - Software versus hardware VPNs
3 - Common DNS pitfalls explained
4 - Choosing the right email infrastructure.
5 - Should you go Gigabit?
»
Email this
Print this
Tweet this
Send us your tips
Back to top
Ads by Google
Comments
Be the first to comment on this article.
Thoughts on this article? Add a comment below.
Login
or
register
to submit a comment.
Top Stories
All I want for Christmas...Apple slapping on the discount stickers this Friday
If you're looking to buy an Apple product then this Friday is your lucky day, with Apple planning a "Black Friday" discount frenzy.
Telstra release slew of new plans, Earth fails to shake
New broadband plans from Telstra with bigger download quotas are welcome, though you'll still find better value with the competition
TiVo 2.0: Revamped content line-up could fuel box bust-up for pay TV competition, as IPTV era begins
TiVo have doubled their drive capacity, introduced IPTV capabilities, vast amounts of new content and better home networking options. But can the marketplace handle another content provider?
Popular
Most Discussed
32 Reasons why PCs are Better than Macs
5 Free Linux Apps You Can't Do Without
Web's Best 50 Free Downloads
5 More Free PC Apps You Can't Do Without
My life with Linux: Day 1 - The daily ups and downs of switching to open source
5 More Free Linux Apps You Can't Do Without
Microsoft Windows XP Service Pack 3
5 Free PC Apps You Can't Do Without
Naked DSL Buyer's Guide
iiNet joins ISPs offering TiVo all-you-eat broadband
32 Reasons why PCs are Better than Macs
(73)
My life with Linux: Day 2 - The daily ups and downs of switching to open source
(21)
AMDs Athlon II X4 620 is the best value quad core CPU you can buy
(16)
New Apple iMac with high-res screen, bigger processor and Magic Mouse
(14)
Windows 7 can't stop Mac OS X
(11)
Parallels adds Win 7 support in Desktop 5 for Mac
(10)
Telstra confirm 30Mbit national network plan - but don't mention the NBN
(7)
Top 10 worst Microsoft products of all time
(7)
Move over Apple, Dell's Adamo is irresistible value for a luxury laptop
(6)
Dell Inspiron Zino HD - could this beat the Mac Mini?
(6)
follow us on Twitter
Plan Finder
Powered by
WhistleOut
Mobiles
Deals
Broadband
1)
Apple iPhone 3GS 16GB
35 plans
10%
2)
Apple iPhone 3GS 32GB
35 plans
3%
3)
Blackberry Bold 9000
14 plans
5%
4)
Blackberry Curve 8520
6 plans
2%
5)
Nokia N97
42 plans
8%
iiNet Broadband
Reader's Hotline
Wow. iiNet's fast broadband is popular! Special number for our readers
1300 432 818
.
3 Months Free
Virgin Mobile!
A great direct deal which saves you over 12%!
Deal Alert
Save on iPhone!
Hot new offer hits the market.
$50
off the iPhone with 3 Mobile.
New Optus
$29 Cap Plan
Blackberry for $0 upfront over 24 months.
Act fast!
1800 300 808
Nokia N97
With Vodafone
Get 1 month FREE access fees and 500MB of data on a 24 month contract. More details from Vodafone.
Nokia 6710
With Vodafone
Get 2 months FREE access fees on a 24 month contract. More details from Vodafone.
PlayStation®3
With Optus
Get broadband, home phone and PlayStation®3 from Optus.
Be quick!
1800 076 977
Christmas Gift
Guide - Mobiles
Beat the lines this Christmas and save money.
Visual Voicemail
With iPhone
Get an iPhone, 1GB of data, free weekends and visual voicemail with Vodafone.
«
1
of
»
1)
iiNet
32 plans
21%
2)
Netspace
33 plans
1%
3)
Optus
47 plans
2%
4)
Telstra BigPond
41 plans
6%
5)
Internode
34 plans
1%
Compare:
Mobiles
|
Broadband
PC Authority