As your business grows, you may expand beyond your original physical site. That means opening branch offices in other locations, whether across town or across the globe. It's likely that the employees in these remote locations will need access to many of the same network resources as those at your headquarters building, and the two groups will probably need to share files and communicate electronically with one another.
The traditional solution has been to implement a dedicated Wide Area Network (WAN) link between the central and branch offices. This is usually a T-1 or even a T-3 line. However, dedicated leased lines are expensive. When you have only one branch office, a single line will suffice, but if you add a third, you may need to add two more dedicated lines to ensure connectivity. The number of lines that are needed for full connectivity increases dramatically as new offices are added, and so does the cost.
A more scalable solution is to connect branch offices using a site-to-site virtual private network (VPN). Let’s look at how a VPN can offer you maximum scalability while ensuring that communications between offices stays secure.
The Internet is the network
To implement a site-to-site VPN connection between your branch offices, each location needs a connection to the Internet. The Internet connection can be via a T-carrier line or a less expensive business-level broadband connection such as DSL, cable or new fiber optic technologies such as Verizon’s FIOS. All of these provide data transfer rates at speeds far greater than a T-1 line. For example, in the Dallas-Ft. Worth, TX market, a 1.5 Mbps T-1 costs $399 or more per month. A FIOS connection provides 30 Mbps, or twenty times the bandwidth, for $199 per month.
The VPN uses the fact that both your central office local area network and the branch office networks are connected to the larger network (the Internet) to provide connectivity between the LANs. Of course, the Internet is a public network, full of hackers and attackers, so the key concern with sending communications across the Internet that are confidential within the company is security.
VPN technologies solve this problem by creating a "tunnel" through the Internet from one office (site) to another. The traffic that goes through this tunnel is encrypted to protect any sensitive data.
Some advantages of site-to-site VPN include:
- Cost. You don’t need the multiple leased lines required for dedicated branch office WAN links. You can use a single leased line to the Internet for each office, or lower cost business broadband Internet connections.
- Performance. You can use very high speed Internet connections at each office for data transfer rates that approach or surpass some Ethernet links.
- Flexibility. If you move one or more offices, it’s much easier to "take it with you" than a dedicated lease line link. The VPN can be set up easily at the new site.
- Scalability. Adding new sites/connections is simple as long as each location has a connection to the Internet. With leased lines, greater distance between offices means higher cost. Because the VPN uses a connection to the Internet instead of a point-to-point connection between offices, it’s much more scalable.
Implementing the site-to-site VPN
Unlike the remote access type of VPN that’s used by telecommuters or traveling executives to connect to the office, a site-to-site VPN utilizes a gateway at both ends of the connection. Traffic is encrypted from gateway to gateway (over the Internet).
There are a number of different ways to create a site-to-site VPN. First you need to consider the protocols you’ll use to create the tunnel and encrypt the traffic. Popular tunneling protocols include:
- Point to Point Tunneling Protocol (PPTP). One of the first VPN methods, and supported by many VPN software and hardware vendors, but less secure than some other choices. More often used for remote access VPN but can be used for site-to-site VPNs.
- Layer 2 Tunneling Protocol (L2TP). Based on a combination of Microsoft’s PPTP and Cisco’s Layer 2 Forwarding (L2F). L2TP creates the tunnel and IPsec is used to encrypt the traffic inside the tunnel.
- Internet Protocol Security (IPsec). IPsec can itself be used to create a VPN tunnel in "tunnel mode."
Site-to-site VPN software
In addition to the protocol issue, another important consideration is how the VPN software will be implemented. You can purchase dedicated VPN gateway appliances. Most firewall appliances, such as the Cisco PIX, also include VPN functionality. Alternatively, software firewalls such as Microsoft’s ISA Server or Check Point can also be configured as site-to-site VPN gateways. Finally, Microsoft’s server operating systems also can be set up through Routing and Remote Access Services (RRAS) as VPN gateways.
In selecting an option, keep scalability in mind. If your branch office is likely to grow, that might very well mean an increase in the amount of traffic between the branch office and the central office, and that in turn means a heavier load on your VPN gateway. If you’re locked into an appliance, upgrading may require that you purchase a whole new appliance. Using software-based VPN gateway solutions such as Windows Server or ISA Server or Check Point for Windows will allow you to upgrade the hardware more easily, by adding a processor or memory, to handle the extra load. There’s a tradeoff, though -- appliance based gateways may provide for faster performance to begin with, and they may also run proprietary operating systems that are less vulnerable to attack than Windows servers.
Regardless of which way you go, a site-to-site VPN solution can offer you a highly scalable way of connecting branch offices.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.