[Last Call] Learn how to a build a cloud-first strategyRegister Now


Leased Lines v. VPN

Posted on 2005-04-15
Medium Priority
Last Modified: 2008-01-09
Our company currently leases T1 lines from our main office to every remote office, 12 in total. We have one location that VPNs in using 3com hardware. The powers that be see that the office that VPNs in are able to do everything (well almost) that the leased line offices can do, at a fraction of the cost. I now need to give reasons why we should or should not move everything to VPN solution.

This is what I have so far.
Cost – VPN’s are less expensive that leased lines
Scalability – Access where you may not be able to get a leased line
Less expensive equipment

Slower speeds – users less productive
Security -   as with any vpn solution, you are opening doorways into the network.
Inconsistent remote access performance due to changes in Internet connectivity
No entrance into the network if the Internet connection is broken

I would like someone that is experienced with VPN to give me a rundown of the pros and cons of moving everything to a vpn solution. Has anybody tried this and had it blow up on them? Has anybody tried this and have it work great?

I myself have limited experience with VPN in a coorporate envrionment.

What should my security conserns be? I am sure I will need to purchase new equipment to make this work both reliably and secure.
I currently use ISA server 2004 and a 3Com firewalls.

Thanks for all comments.
Question by:UnifiedIT
  • 4
  • 3
  • 3
  • +2
LVL 79

Accepted Solution

lrmoore earned 800 total points
ID: 13794700
I'll give you a few more pro's cons
- Cost
- Comparible speed if you have a big enough Internet Pipe

- quality of service - SLA. I'll bet your leased lines don't go down as often as the Internet connection
- need to increase size of Internet pipe. Single T1 might have to be upgraded to metered T3
- QoS over VPN is virtually non-existent because it rides the Internet. If you ever plan to use VoIP/video over the network..
- Need failover Internet connection in case primary is down
- no site-site connectivity without a compromising mesh setup. Site to corp HQ only

I don't see security as that big of an issue if planned/designed/deployed correctly
I don't see performance variation as that big of an issue unless you have any delay-sensitive applications

It's a great solution for companies that can't afford leased lines, but there are better alternatives for companies that need the reliability and scaleability of leased lines.. MPLS services from the major telcos is a much better solution, but it does cost more in some respects, but will reduce your total number of T1's that you have to support on the HQ side. Each location gets a T1 to the MPLS "cloud", and the HQ gets maybe 3-4 T1's to support all 12 remote sites. Instant any-any site connectivity, secure private just like frame-relay, good SLA service guarantees, great for QoS, GREAT option for continuity of operations or Disaster Recovery plans..

LVL 35

Assisted Solution

ShineOn earned 400 total points
ID: 13794745
Thats a lotta cash going to Telco every month. P-P T1 ain't cheap.

If you have high-speed internet available to all sites (preferably business-class cable or SDSL) then a site-site VPN set up properly can be almost as secure as a p-p T1 with potentially better throughput, plus you gain the flexibility to have client-site VPN user access for mobile/telecommute users.  Definitely at a fraction of the cost.

You lose a little centralized control of Internet access, but again gain flexibility and the users gain from better Internet speeds because they're not sharing the pipe with everyone else (unless you set up your VPN to deny Internet access other than through the VPN.

You also lose the potential of a single-vendor point-of-contact for comm issues, because you'd have to use whatever the best high-speed business-class ISP does business at each location.

I think you actually could gain a lot of security if you go with a firewall/vpn appliance instead of using ISA server, too.  Not that ISA server is that bad, but the firewall appliances are for the most part so much better.
LVL 35

Expert Comment

ID: 13794773
I like Lrmoore's MPLS cloud idea, but if he big push is cost savings and the reliability issue isn't a non-starter, then VPN is worth exploring.

Sure, the VPN network would be pretty-much hub-and-spoke, but that's probably what you have now with your T1 setup, isn't it?  
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

LVL 10

Assisted Solution

neteducation earned 400 total points
ID: 13794875
What I would do is the following:

- Select an Internet Provider that can offer you access for all your sites
- Then do the VPN's by yourself At a customers site I have a similar szenario, and am using Sonicwall TZ2040 at the main office and Sonicwal TZ170 at the remote sites.... only 6 remote sites though.. but the conecpt works with up to 50

Advantages of this:

- Compared to the cloud-idea above cheaper. Basically the idea of the cloud is pretty much the same solution, only that the provider is doing the VPN
- Because you are only with one provider you still have one person to talk to if you have problems
- The prolem of having slow / changing response times in VPN's often are because some link between the different provider are overloaded/ routes between providers change because of changing contracts. I have hardly ever seen a provider that has capacity problem on provider-internal lines.

Disadvantage: Of course still no guarantees in performance and if the line in the main office is broken you really have a problem. (as mentioned above)
LVL 10

Expert Comment

ID: 13794885
uups.. sonicwall 2040pro I wanted to say was what I'm using at the main site

Assisted Solution

ender78 earned 400 total points
ID: 13796129
Make sure that you are replacing equivalent connectivity.  In no way shape or form is DSL a replacement for a T1 line.  Business Grade DSL differs from residential DSL in price only.  While DSL is a great technology for home use, most telcos and CLECs still dont know how to fix it ... quickly.   Dont be fooled by sales reps trying to sell you 5000/800 DSL, unless you main site has infinite bandwidth and the traffic model is heavily pull based [branch sites pulling large files from Head Office] you will see a noticable difference in speed by cutting your upload bandwidth in half.

The level of service that you will receive will depend on the following

- type of internet access [A 10/100Mbps Ethernet circuit is obviously faster than a T1]
- the proximity of your sites on the Big I [sites a few blocks apart could have very high latency due to routing policies of providers , if different]
- how much you are willing to spend on network hardware [ you will need to segragate corporate network and Internet traffic, firewall from the net.  Giving users a fatter Internet pipe can work against you.  You dont want someone downloading the latest Doom demo to saturate the pipe impacting traffic to the corporate network.]
- as eluded to by others, you MUST find a provider that can provide you connectivity to all the sites, ON THEIR OWN [a carrier will give you the impression that they are providing you with access directly but will buy connectivity from others] failiure to do so will result in a blame game when something is down
- moving to an IP VPN, you are significantly increasing the complexity of the solution, you now have to deal with routing polcies that may shape and distort traffic, network congestion, filtering, that P2P link that you have now is yours and yours alone
- if you are not 100% comfortable in doing this all yourself, look for a provider managed solution, such a solution while expensive [could be cheaper than your P2P solution] will provide more peace of mind to management, when something breaks, you make ONE call to get it fixed
- what kind of network SLA can the provider(s) offer you, dont expect the same service with DSL as you would get with a T1

If you can provide more details on the solution being sold to you, we may be able to offer some more suggestions.

Author Comment

ID: 13796234
We previously had gone with MPLS because of the amount of lines that we have and the ease of adding new sites to it. Every office was set up and all that we basically had to do was go to each office and unplug from one smart jack and plug into the other. We had about four offices up and had a lot of problems with dropped packets. Provider (SBC) kept saying that it was on our end. We implemented QoS and still the same issues. They sent out an engineer to look at all of our configs and they found nothing out of place. Finally when we pulled the plug after about 6 weeks of this finger pointing. What do you know; they were all about finding the problem then. As it turns out they had some bad configs and never found them until it was too late. So I am back with my T1’s. MPLS is to new in my area and we are not going to be guinea pigs until they get the bugs sorted out.

Currently we have T1’s to most offices with frame relay links to the others. All remote offices connect to one of our two terminal servers via Remote desktop. I am working on implementing Citrix but I am only one guy and I have a big workload. Our Corp site has 2-T1 lines for Internet access. Every remote site Internet traffic gets routed through these 2 lines. We have a 3Com firewall but we are moving to ISA 2004 because of its functionality and group based access and the 3Com was not reliable.  Every remote site has printers and some have digital senders. Users from SiteA will have to print to printers at SiteB and so on.

Lrmoore brought up a good point about making sure that the Internet pipe is big enough. I had not thought of that. With every remote site VPNed in it will take up a large load.

Shineon - yes, righ now I have a hub ans spoke topology.
ender78 - yes, I am comfortable doing this myself, it is just new territory and I need a map of the correct roads as I do not want to get lost.

LVL 10

Expert Comment

ID: 13797019
when planning for the newly needed capacity you may want to take a closer look at how much traffic was going from the remote sites to the internet. Because in a VPN-Szenario, you most probably dont want the internet traffic being routed through your main office. Therefore is most of the traffic you had so far is internet traffic, then you probably dont need to upgrade your line to much. Especially if you are telling that most traffic is Terminal Server / later on Citrix-Traffic, then this is definitly not to much traffic. Printing from one site to the other will generate some traffic though... if you have to print from one branch office to another branch office a lot then you may want to do a VPN between each of those.
LVL 79

Expert Comment

ID: 13797031
This is Cisco's solution for using lower-cost DSL with Multipoint GRE

Most packet loss issues that I've seen on MPLS networks was because of poorly implemented BGP. What type of Network Management Station do you have watching over things, alerting you to problems, etc?

I would highly recommend a failover pair of Cisco PIX 515e firewalls to replace your 3Com, and use the ISA2004 as a proxy only. This gives you the best of both. The best firewall with auto failover and VPN capabilities that you won't get with ISA, and the best features of the ISA2004 application. I shudder thinking about a Microsoft application running on top of buggy, security hole ridden, patch nightmare Windows OS.
LVL 79

Expert Comment

ID: 13797044
Whoops, I forgot to finish that last sentence..

....nighmare Windows OS... as my first line of defense protecting my corporate ass(etts) from the world.

Something else we need to consider - are you a regulated industry that has to comply with government regulations or things like HIPPA, SARBOX, GLB or others?

Author Comment

ID: 13805846
Mpls was a great solution and I wish it would have went well. The provider had the bad configs on their core routers. I do not know the exacts of what they had wrong but packets were being discarded when they were to big. Ping with a small packet and everything was fine. Ping with a large packet and they would get dropped. By thye time they fixxed it, it was to late. They did not fix the problem until we cancelled the order. Go figure.

We use SolarWinds for network monitoring.
We are not a regulated industry.
LVL 79

Expert Comment

ID: 13805988
You've got the best monitoring solution for the price out there.
Since you are not regulated, and you can justify the loss of an SLA (service outages at no penalty to the provider), then the Multipoint GRE solution is very acceptible.
The major consideration is simply how much downtime can you stand?
If the answer is zero, then consider keeping the bunch of T1's that you have now and augment that with the DSL/GRE as backup only.
If the answer is that the cost savings moving to low-cost DSL and GRE tunnels will far outweigh the potential for downtime, then that's the answer.

Either way, with the GRE tunnels, you have full control over who can get to what. You have the option to tunnel everything and control Internet access, and this will require you to get a bigger Inet pipe into the core site, or split-tunnel and let each remote site have their own Internet access. This reduces the load on your own Inet pipe, but exponentially increases your security risks.

Else give MPLS another whirl with a different provider now that some of the kinks are worked out.

Author Comment

ID: 13833643
Thank you for all the comments. They will all help considerably if I need to role this out.

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question