Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

general question on setting up a secure WAN

I will be the first to admit i know very little about large scale networking, and i get lost following most of the posts in this forum.   So please, if you are going to spend some of your precious time answering this question, please spend a bit more time explaining your acronyms (unless they are obvious - to me ofcourse).

I want to link up two machines that are in different areas of the world.  However i dont want either machine to be linked to the public internet.  I mean i dont want information to pass through unknown routers/links around the world.  Is that possible?  Or will i need to invest millions into installing my own private network - wires/routers (as good as impossible)?  Or can i get the telecommunications companies of the countries involved to lease some isolated parts of their network (not really private network)?  Does the definition of a WAN imply that the Internet MUST be used?

Assuming this is not viable, how do i go about connecting these two machines through the public routers of the Internet, but without subscription to a third party ISP?  Each machine will really be part of its own network(LAN).  The bandwidth within the LANs run on 10/100MB/s ethernet cards.  Does that mean to extend the LANs to a WAN, i need a similar 10/100MB/s bandwidth within the WAN?    Is is possible i need to set up my own ISP?  Is it possible to setup a WAN without an ISP?

Currently both LANs use TCP/IP for communication.  If the WAN was setup using TCP/IP too, and connected to the internet which uses the same protocols, wouldnt this open up a fundamental security hole (regardless of whether a firewall is installed)?

If any of my questions are contradictory or simply dont make sense, it is because they reflect my lack of understanding of wide area networking.  Please point this out.  
1 Solution
If you are using cisco equipment you can setup VPN Tunnels between your sites.  As for talking to ISP's setting up private networks. They maybe able to do something for you but its going to cost you money!

A cisco PIX for instance can setup a VPN Tunnel between sites. This would automatically route traffic between your two computers.  YOu can also do this with a Checkpoint firewall but my exp. has been with cisco.  Checkpiont is a good product but you will pay vast amounts for support.

With the VPN option your network may look like this

Internal = your internal network
Internet = untrusted INTERNET / GLobal Network
Firewall = could be a Cisco PIX VPN connection.

Internal     Firewall    Internet    Firewall
Box 1  ----> PIX / VPN================PIX/VPN <---- Box2

As you can see Box's 1 and 2 are not directly connected to the internet.  They are internal address space.  This is a simplistic diagram as I would be putting them into a DMZ. A DMZ is a place you put a box that you want to expose to the internet.   Example :

The best you can get is to get a tier 1 telecom provider that has worldwide access, and get a point-to-point service. Typically frame-relay, emerging MPLS, and sometimes ATM. Depends on the carrier. All you would need is a router and CSU/DSU at each end for a point-point solution. This is more like a dedicated phone line that is switched, rather than routed accross multiple routers that you don't control. Since you have full control of both ends, and it is very difficult (not impossible) to tap into, it is generally considered private. Some gov't regulations require even more stringent measures such as encryption across these lines.

If you are connected to the Internet, then yes, you have fundamental security holes. That's what firewalls are for, and yes, the firewall is only as good as the weakest link (policy, configuration, model, etc). But by using firewalls, you can setup a point-to-point VPN between the two sites. This is a 'virtual' encrypted tunnel between two endpoints, and even though the packets get routed around the Internet, the data is encrypted anyway.

There is a concept in TCP/IP regarding "private" ip address space, defined in RFC 1918 (google for that). These addresses are not routable across the Internet, and most companies use these private addresses inside their network, and use Network Address Translation when they need to reach public resources, ie. web pages like http://www.experts-exchange.com

Typical bandwidth that you get on the WAN at reasonable cost, especially in globally different locations, is by T1 data lines that run at 1.5Mb. A T3 line runs at 45Mb, and if you really need high speed, ATM OC-3 runs at 622Mb. Each one is several orders of magnitude more expensive than the previous. If the sites are close enough, you can theoretically get 10Mb or 100Mb Ethernet connections from some optical providers such as yipes communications. http://www.yipes.com
ghulosh1Author Commented:
Thanks for such a prompt reply. Here are my further thoughts/questions.

I take it then that, realistically, we would need a third party ISP involved.  This ISP would need to have a network spanning into both locations, if we were to use the dedicated, switched line option routing through CSU/DSU.  If a single ISP (tier 1)  does not cover both areas, we would have to resort to using routers controlled by other entities (public routers).

Would this mean that we can have no guarantee over the stabiliy of the WAN in general - that is our bandwidth would have to contend with public information passing through those routers that are being shared?

Internet access (such as viewing web pages) is not important.  However we still need to have access to the internet's routers etc, inorder to setup our WAN.  Does this make sense?

It appears that bandwidth across the WAN is substantially more expensive and relatively smaller than that acheived within a LAN.  This suggests that it is impractical to join our LANs together and expect the same operational speeds, reliability and security without re-designing the whole structure of the WAN.

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

A LAN is your Local Area Network, Meaning it is the network your PC is connected to at work. A WAN is a Wide area network, The Internet is considered a WAN because of the area it covers, also if you have 3 buildings connected with T1, the T1 are considered WAN Links, because they are not local links. Dedicated WAN Links are significantly more expensive because you own all the bandwidth and it directly connects your offices.

Sounds like you can use a VPN. This is a virtual private network. All data crosses the internet and you use it (Internet) as the backbone. All data is encrypted so as long as you use strong encryption your data should be safe. This is the ceapest solution because all you need is a internet connection DSL, T1, cable and Compatible Firewalls on both ends. Most firewalls should be able to VPN with each other because of standards, but it is always nice to work with the same on each end. The Firewalls will protect your internal network as long as the person setting it up knows what they are doing. For more reliability you would get a T1 to the internet instead of dsl or cable, and use a vpn connection.
A dedicated T1 across the pond is going to cost a fortune, but if you need reliable, fast bandwidth this is the best choice. Frame Relay is similar except that you share bandwidth with other customers and are guaranteed a minimum amount bandwidth and usually can burst to higher speeds if the lines are not utilized.

OK = DSL to internet vpn to connect offices
Good = Frame Relay to the Internet VPN to connect
Better = T1 to the internet and VPN
Very Good = Frame Relay connection to other office no VPN
Best = T1 Point to Point

And yes your bandwidth is minimal over the WAN, BUT a solid correctly configured network infrastructure will help local traffic stay local and keep only the data you want to cross the WAN. This doesnt have to be expensive, again it really all depends on your existing enviornment and what you want to do when you connect. If its just file sharing then its no big deal.
Yes, you need a 3d party. Not necessarily ISP, but international telco carrier for frame-relay. Independent ISP's at each location will work, too for a VPN solution. You are correct, with VPN "through" the Internet, no guarantees of QoS or delivery accrosss the Internet. Frame-relay point-to-point PVC's will provide guaranteed throughput/delay. MPLS VPN will also provide guaranteed delivery, delay.
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.
RECOMMENDATION: Points awarded to: lrmoore

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now