|
|
|
Case Study - The implementation of a VPN for Toole
Agency
Historically, for companies with multiple offices that want to have data access between them, the implementation of a wide area network was limited to handful of technologies. Two of the most popular technologies were point-to-point and Frame Relay data circuits. A point-to-point data circuit allows a company to have a private and secure data connection between two locations. Speed can range from 64 kilo bits per second (Kbps) to a full T1 (1.544 Million bps). These circuits are available from communication or phone companies which charge a fix monthly fee, which can be expensive depending on the location of the communication company’s central office and the number of data circuits required for the WAN. Each point-to-point circuit will require a physical interface on the router, a device used to direct the flow of data traffic. For example, if there are three remote offices and all three sites need to communicate to the fourth location, there will be three circuit lines attached to the router. Furthermore, each interface will require a piece of hardware, call channel servicing unit / data servicing unit (CSU/DSU), adding cost to the router. If the topology of the wide area network, requires all offices to be directly connected to each other, known as a full mesh topology, the number of circuits to be purchased would be n(n-1)/2, where n equals the number of offices. A company with four offices, the number of lines would be (4*3)/2 = 6. Add one more office and the number increasing to 10 data circuits. To avoid the high cost of a full mesh, the work around would be to replace a full mesh with a spoke-and-hub or star topology design, or partial mesh. This is where all remote offices connect to a single office and having the router direct the data traffic to its final destination. The problem here is that it is a single point of failure, whether the router was to break down or the office to loose power. Another alternative is to have a dual hub topology design where all remote offices would connect to two offices acting as a “hub.” Still, the cost will be higher since the number of circuits will be more than with a single hub topology. The second choice uses the Frame Relay protocol, which creates virtual circuits over a single physical circuit. The router will now only need a single interface since there will only be a single physical circuit, a savings in hardware over the point-to-point technology. A virtual circuit is a logical division of a physical circuit, allowing many virtual circuits to run over the same physical circuit. All virtual circuits go the communication company’s central office, where each virtual circuit’s traffic is then sent to the virtual circuit connecting to the intended destination of the remote office. Data using frame relay circuits is not carried over public networks and is considered secure. The number of virtual circuits for different WAN topologies is the same with frame relay as with point-to-point. For example, with a full mesh topology, the number of virtual circuits would be the same [n(n-1)/2] as with the point-to-point circuits. The difference is with the number of physical connections. Overall, the total cost of using frame relay is usually cheaper than using point-to-point circuits, both in hardware and communication costs. Virtual Private Network A less expensive way of creating a wide area network for a company is to use the public networks that form the Internet for data transportation between the offices while creating “virtual” private networks by encrypting the data between those sites. Data from one office site will be sent over a virtual circuit, or tunnel, to another remote office. The only requirement is that each office would need Internet access, preferably a high speed connection with a static public IP address. This can be achieved by using inexpensive DSL or broadband connections, or any of the two technologies discussed above. The savings on the recurring circuit costs can be huge. Having four offices each with a DSL Internet connection is much less per month than having multiple point-to-point or frame relay circuits. The VPN setup does require a firewall and a VPN device at each location in addition to a router or DSL/Cable modem. Most firewall units today have VPN and routing features built-in eliminating the need for separate devices. The modems are low cost and sometimes are provided by the Internet service provider. Furthermore, DSL connections can sometimes match or even exceed the performance of point-to-point and frame relay circuits. A bonus of this type of setup allows users at each office to have Internet access while connecting to the remote office. However, if required, Internet access can be restricted at the remote offices and forced to go through the main office to increase security and ease IT administration. It gets even better. A full mesh WAN topology via VPN tunnels can be implemented without incurring any extra cost because there are no additional circuits required since each VPN tunnel goes over the Internet. This achieves a significant savings verses the full mesh topology for point-to-point or frame relay. Security is not a problem since the VPN tunnel is secured using encryption standards as triple Data Encryption Standard (3DES) or the newest standard, Advance Encryption Standard (AES). And to establish a VPN tunnel each firewall needs a certificate or a pre-assigned shared password. In other words, only designated locations will be able to connect with each other. Case Study - Toole Agency The insurance company had in the past used frame relay for its WAN. When it moved one of its remote offices to the center of Great Barrington, MA and opened a fourth office where DSL was available, the use of a VPN became a viable option. IBS, Inc. implemented the use of virtual private networks at all four of their offices, lowering the monthly cost of it WAN while offering great reliability and security. We configured a star topology with three offices connecting to the main office using Cisco Packet Internet eXchange (PIX) firewalls at each location with two sites using DSL, one site using point-to-point and the fourth using frame relay circuit (where DSL was not available). "Prior to VPN technology connecting our branch offices to our main office, I honestly don't how we managed to keep staff in the branch locations" states Joan Tyer, Financial officer at L.V. Toole Insurance Agency in Lee, MA (www.tooleinsurance.com). "The speed of receiving information on their end was extremely slow. They would have to watch the screen fill up line by line. Now, it is almost like being in our main office. We have grown our branch staff and probably would not have been able to do so with the previous set up. There are very few problems. We are very thankful for switching. The IBS staff involved in this transition is extremely knowledgeable and a pleasure to work with." For more information on VPN solutions, contact Scott Seifel at sseifel@for-ibs.com |