Solved

Alternatives to VPN?

Posted on 2004-08-26
14
3,819 Views
Last Modified: 2008-01-09
I was just tasked with this project - provide alternatives to VPN.  I asked what this meant and it could be either different platforms than what we use now or totally different technologies.

We have about 1500 employees, 500 of which are field based/remote.  Of the rest, about 500 connect at night, weekends, holidays, etc.  Max online usage has been around 250 at a time with peaks during the day around 50.  We're using IPSEC with 3DES to connect now.  We're running Nortel Contivity's - 2600 at the main site, 1600 at another site, and 1010 at a Branch Office.  Version is 4.86_160 and 4.65 client.

What's driving this whacky request is the business units suffering intermittent drops in their tunnel.  It's primarily the broadband users and I suspect it's various issues with IPSEC/ISAKMP keepalives not getting through or MTU issues for DSL users.

I would appreciate hearing how you're set up and what issues you have with your VPN and what you would recommend for me.  I also am open to other technologies such as RAS and SSL VPN.

I will split points between pertinent contributors.

Thanks
0
Comment
Question by:pseudocyber
14 Comments
 
LVL 3

Assisted Solution

by:Julian_C
Julian_C earned 125 total points
ID: 11901614
Well, I have a lot of time for SSL VPN's but have got no further than testing out some offerings from aventail at present. They seem to offer a genuine alternative to Citrix or straight TS for us. Citrix is an excellent way to provide the desktop to, even low bandwidth, remote hosts. Bandwidth is the big advantage over VPN technologies, especially IPSEC based where the network just extends to the hosts location in some form. BUT, whilst Citrix is just great it is also just Sooooo expensive, even so far as to make it's exstensive use prohibitive in the organisation I currently find myself in and they are certainly in the top 5 biggest in the world and the profit margin is huge. So, hence us looking at the SSL VPN middle ground and it really does seem like a good halfway measure. This is especially true as externalisation or deperimiterisation take become the norm as simple border security is strectched to the limit with organisational boundaries blurring more and more. IMO it is well worth taking a good look at SSL VPN's.

Cheers
Julian
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11901622
Hi pseudocyber,

You might want to consider MPLS.

This is essentially a private network, provided within an ISPs infrastructure.
The network setup can include different access methods, such as DSL or dial-in.

This basically means that you don't have to use a VPN at all, and users connect directly into your network as if they were dialling into a bank of modems at your site.

Speak to your ISP - they might be able to offer this service.

Does this help?
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11901628
pseudocyber,
I forgot to ask the basic question - what type of traffic do your users have to/from the network?


0
 
LVL 27

Author Comment

by:pseudocyber
ID: 11901660
We're looking at MPLS for our WAN (migrating from ATM with a Frame backup).  How does MPLS offer a VPN connection to remote based employees - either dialup or broadband connected?

Traffic is mostly checking email with outlook & exchange with some Windows based file access to file servers.  Some users are more technical and will be using lower traffic based apps such as SSH to servers, telnet, etc.

PS - very nice to have, almost requirement - need to login to Windows network (currently NT login but AD implementation to be completed shortly) and run login scripts and most importantly GET PASSWORD EXPIRATION NOTIFICATION.
0
 
LVL 15

Accepted Solution

by:
scampgb earned 250 total points
ID: 11901770
Speak to your ISP :-)

We're in a similar boat, looking at moving from an IPsec VPN to MPLS.  One of the offerings was a dial-in solution to our MPLS network.

For the DSL, that's fairly straightforward.  When the DSL connection starts up, it provides a username and password (as well as CLI). The ISP can use this information to configure their DSL equipment to add this link into the MPLS network.   Basically, all traffic to/from the DSL line will be automatically routed in the MPLS network.
The DSL line would not have an Internet IP address or direct Internet access.  It would essentially be a fixed link part of your network.

Dial-in would work the same way.  When you dial-in, the RAS equipment will use your authentication credentials to configure how that session should work.  It would then route that session within the MPLS network rather than the ISPs "Internet access" network.

Does that make sense?  I don't have a detailed knowledge of how is actually works, just what it does.

Are your users using company-supplied kit (laptops, PCs etc?).
You will be able to configure them (assuming Windows here!) to dial a connection before login.  If you're using DSL with a router, you don't even need this stage.  The PC/laptop would behave in the same way as it would in the office.
If you're using a dial account (or DSL with modem), then the user should tick "Log on using dial connection" when they log in.

... what happens then is that the PC establishes the dial-in connection, then does the log in to the domain in the same way as it would on the LAN.

Assuming all things being equal, and the routing tables on your DCs are right :-)
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11901794
Sorry, I didn't see "GET PASSWORD EXPIRATION NOTIFICATION" - probably caps blindness :-)

As above, when the machine logs into the domain it will behave as it would do on the LAN.  Any group policies that you have defined will apply to the PC.  You need to test these things as you could accidentally stop them dialling in :)

However, if you mean that the password that they use to dial in with needs to expire, that get's much more complicated.
In the MPLS solution, this depends on how the ISP provides the service.  They might be able to offer authentication based on a RADIUS server on your site.  This could be integrated with your domain.  That might be a bit optimistic though.
0
 
LVL 27

Author Comment

by:pseudocyber
ID: 11901827
We're using two Internet feeds from two large nationwide providers in our city.  We're peering BGP with them.  One of the connections is Ethernet and the other is a partial DS3.  There are no plans to move our Internet connection to MPLS - just our WAN connection.  

I don't have a lot of knowledge about MPLS - so remote users could access the MPLS network somewhere out in the cloud, get authenticated, and join the network?

The remote users are using all kinds of different DSL and Cable Internet providers.  The dial up users use an international company which resells local dial up ISP access (iPass).  We could go with a RAS and modem bank, but we prefer not to, at this point unless it would represent a significant cost savings (reduce dial in costs below $20K/mo).

The password expiration notification needs to come the domain - this is the domain password and when it expires and the user connects there's a conflict between the cached password and the domain password and the users wind up getting locked out of their laptops.

Yes, all laptops are distributed from Corporate office and need to adhere to corporate image from desktop support team.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 15

Expert Comment

by:scampgb
ID: 11901894
Right - you don't need to move your Internet connection to MPLS in order to use it for your remote users.
Your remote users will essentially be part of your WAN.  They won't have direct Internet connectivity themselves under this route.  
This is actually a good thing as it means they can't become infected with viruses/spyware from the Internet and then bring it on to your network.

The MPLS plan would work if your home users were being provided their network connections by the MPLS-capable ISP.  It sounds like they're not as they've got a load of different operators.  I've never encountered an inter-ISP MPLS network.

I didn't realise that you had a lot of International users.  That complicates matters further, and perhaps MPLS isn't the solution for you.

The domain login and password expiration stuff stands - as long as the machine is part of the network before the user logs on.
0
 
LVL 27

Author Comment

by:pseudocyber
ID: 11901907
We don't have international users - we have an dial up provider who is international - so wherever one goes, one should expect to find a local dial in number instead of long distance/toll free.
0
 
LVL 7

Assisted Solution

by:EmpKent
EmpKent earned 125 total points
ID: 11902121
Nortel's Alteon switch (I think they are changing the name to Contivity 3050 or something) does SSL VPN but is quite expensive. I also don't know that it will address the password issue.

We too are on CES' all over the network. You are behind a bit on the software. I DL'd 4.90.264 some time ago. That might help the loss of connections but we too see troublesome clients intermittantly. We usually reimage the laptop and the whining subsides.

Also, your rev does AES. That would lessen the load on the client slightly. Might be worth trying on a slow Friday like tomorrow... And it sounds good in a Exec summary.

I am quite interested in SSL and there are things happening in the Open Source arena but for the time being, you pay a massive premium to buy it boxed and backed.



0
 
LVL 15

Expert Comment

by:scampgb
ID: 11902129
Ah - that makes sense then.
I'm not greatly familiar with the telecoms setup in the US, so I'm not going to get into a detailed discussion about it :)

I still suggest that you speak to whoever is doing your MPLS migration and see if they can suggest a solution for you.
0
 
LVL 27

Author Comment

by:pseudocyber
ID: 11911500
What about SSL based VPN - anyone using it?

What about Cisco & IPSEC encapsulated in TCP?
0
 
LVL 27

Author Comment

by:pseudocyber
ID: 12543254
Thanks for your comments.
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12546538
Glad I could help :-)
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now