Alternatives to VPN?

I was just tasked with this project - provide alternatives to VPN.  I asked what this meant and it could be either different platforms than what we use now or totally different technologies.

We have about 1500 employees, 500 of which are field based/remote.  Of the rest, about 500 connect at night, weekends, holidays, etc.  Max online usage has been around 250 at a time with peaks during the day around 50.  We're using IPSEC with 3DES to connect now.  We're running Nortel Contivity's - 2600 at the main site, 1600 at another site, and 1010 at a Branch Office.  Version is 4.86_160 and 4.65 client.

What's driving this whacky request is the business units suffering intermittent drops in their tunnel.  It's primarily the broadband users and I suspect it's various issues with IPSEC/ISAKMP keepalives not getting through or MTU issues for DSL users.

I would appreciate hearing how you're set up and what issues you have with your VPN and what you would recommend for me.  I also am open to other technologies such as RAS and SSL VPN.

I will split points between pertinent contributors.

LVL 27
Who is Participating?
Speak to your ISP :-)

We're in a similar boat, looking at moving from an IPsec VPN to MPLS.  One of the offerings was a dial-in solution to our MPLS network.

For the DSL, that's fairly straightforward.  When the DSL connection starts up, it provides a username and password (as well as CLI). The ISP can use this information to configure their DSL equipment to add this link into the MPLS network.   Basically, all traffic to/from the DSL line will be automatically routed in the MPLS network.
The DSL line would not have an Internet IP address or direct Internet access.  It would essentially be a fixed link part of your network.

Dial-in would work the same way.  When you dial-in, the RAS equipment will use your authentication credentials to configure how that session should work.  It would then route that session within the MPLS network rather than the ISPs "Internet access" network.

Does that make sense?  I don't have a detailed knowledge of how is actually works, just what it does.

Are your users using company-supplied kit (laptops, PCs etc?).
You will be able to configure them (assuming Windows here!) to dial a connection before login.  If you're using DSL with a router, you don't even need this stage.  The PC/laptop would behave in the same way as it would in the office.
If you're using a dial account (or DSL with modem), then the user should tick "Log on using dial connection" when they log in.

... what happens then is that the PC establishes the dial-in connection, then does the log in to the domain in the same way as it would on the LAN.

Assuming all things being equal, and the routing tables on your DCs are right :-)
Well, I have a lot of time for SSL VPN's but have got no further than testing out some offerings from aventail at present. They seem to offer a genuine alternative to Citrix or straight TS for us. Citrix is an excellent way to provide the desktop to, even low bandwidth, remote hosts. Bandwidth is the big advantage over VPN technologies, especially IPSEC based where the network just extends to the hosts location in some form. BUT, whilst Citrix is just great it is also just Sooooo expensive, even so far as to make it's exstensive use prohibitive in the organisation I currently find myself in and they are certainly in the top 5 biggest in the world and the profit margin is huge. So, hence us looking at the SSL VPN middle ground and it really does seem like a good halfway measure. This is especially true as externalisation or deperimiterisation take become the norm as simple border security is strectched to the limit with organisational boundaries blurring more and more. IMO it is well worth taking a good look at SSL VPN's.

Hi pseudocyber,

You might want to consider MPLS.

This is essentially a private network, provided within an ISPs infrastructure.
The network setup can include different access methods, such as DSL or dial-in.

This basically means that you don't have to use a VPN at all, and users connect directly into your network as if they were dialling into a bank of modems at your site.

Speak to your ISP - they might be able to offer this service.

Does this help?
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

I forgot to ask the basic question - what type of traffic do your users have to/from the network?

pseudocyberAuthor Commented:
We're looking at MPLS for our WAN (migrating from ATM with a Frame backup).  How does MPLS offer a VPN connection to remote based employees - either dialup or broadband connected?

Traffic is mostly checking email with outlook & exchange with some Windows based file access to file servers.  Some users are more technical and will be using lower traffic based apps such as SSH to servers, telnet, etc.

PS - very nice to have, almost requirement - need to login to Windows network (currently NT login but AD implementation to be completed shortly) and run login scripts and most importantly GET PASSWORD EXPIRATION NOTIFICATION.
Sorry, I didn't see "GET PASSWORD EXPIRATION NOTIFICATION" - probably caps blindness :-)

As above, when the machine logs into the domain it will behave as it would do on the LAN.  Any group policies that you have defined will apply to the PC.  You need to test these things as you could accidentally stop them dialling in :)

However, if you mean that the password that they use to dial in with needs to expire, that get's much more complicated.
In the MPLS solution, this depends on how the ISP provides the service.  They might be able to offer authentication based on a RADIUS server on your site.  This could be integrated with your domain.  That might be a bit optimistic though.
pseudocyberAuthor Commented:
We're using two Internet feeds from two large nationwide providers in our city.  We're peering BGP with them.  One of the connections is Ethernet and the other is a partial DS3.  There are no plans to move our Internet connection to MPLS - just our WAN connection.  

I don't have a lot of knowledge about MPLS - so remote users could access the MPLS network somewhere out in the cloud, get authenticated, and join the network?

The remote users are using all kinds of different DSL and Cable Internet providers.  The dial up users use an international company which resells local dial up ISP access (iPass).  We could go with a RAS and modem bank, but we prefer not to, at this point unless it would represent a significant cost savings (reduce dial in costs below $20K/mo).

The password expiration notification needs to come the domain - this is the domain password and when it expires and the user connects there's a conflict between the cached password and the domain password and the users wind up getting locked out of their laptops.

Yes, all laptops are distributed from Corporate office and need to adhere to corporate image from desktop support team.
Right - you don't need to move your Internet connection to MPLS in order to use it for your remote users.
Your remote users will essentially be part of your WAN.  They won't have direct Internet connectivity themselves under this route.  
This is actually a good thing as it means they can't become infected with viruses/spyware from the Internet and then bring it on to your network.

The MPLS plan would work if your home users were being provided their network connections by the MPLS-capable ISP.  It sounds like they're not as they've got a load of different operators.  I've never encountered an inter-ISP MPLS network.

I didn't realise that you had a lot of International users.  That complicates matters further, and perhaps MPLS isn't the solution for you.

The domain login and password expiration stuff stands - as long as the machine is part of the network before the user logs on.
pseudocyberAuthor Commented:
We don't have international users - we have an dial up provider who is international - so wherever one goes, one should expect to find a local dial in number instead of long distance/toll free.
Nortel's Alteon switch (I think they are changing the name to Contivity 3050 or something) does SSL VPN but is quite expensive. I also don't know that it will address the password issue.

We too are on CES' all over the network. You are behind a bit on the software. I DL'd 4.90.264 some time ago. That might help the loss of connections but we too see troublesome clients intermittantly. We usually reimage the laptop and the whining subsides.

Also, your rev does AES. That would lessen the load on the client slightly. Might be worth trying on a slow Friday like tomorrow... And it sounds good in a Exec summary.

I am quite interested in SSL and there are things happening in the Open Source arena but for the time being, you pay a massive premium to buy it boxed and backed.

Ah - that makes sense then.
I'm not greatly familiar with the telecoms setup in the US, so I'm not going to get into a detailed discussion about it :)

I still suggest that you speak to whoever is doing your MPLS migration and see if they can suggest a solution for you.
pseudocyberAuthor Commented:
What about SSL based VPN - anyone using it?

What about Cisco & IPSEC encapsulated in TCP?
pseudocyberAuthor Commented:
Thanks for your comments.
Glad I could help :-)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.