TechRepublic is like a lot of other Internet companies—it started very small with limited funding, and its early network architecture reflected those limitations.

The way TechRepublic provided virtual private network (VPN) resources to its offices in New York and California was also somewhat crude in those early days.

Sponsored by
NetScreen is the exclusive sponsor of TechRepublic’s special series on VPNs and Firewalls.

For more information, check out TechRepublic’s VPN and Firewall Center,
or visit NetScreen’s website.

NetScreen is the exclusive sponsor of TechRepublic’s special series on VPNs and Firewalls.

For more information, check out TechRepublic’s VPN and Firewall Center,
or visit NetScreen’s website.

In this article, we will describe how TechRepublic’s VPN evolved from a simple to a more sophisticated solution. This evolution is a good example of how an IT department meets the challenge of a rapidly—and geographically—growing company.

“When I first walked in the door, the original VPN solution was still in place,” said Mike Laun, TechRepublic’s network administrator.
TechRepublic is featuring a series of articles on this topic in every Republic this month. If you’d like more information on security or productivity issues relating to VPNs, click here.
A contractor had set up TechRepublic’s first VPN, and it was out on the public network on a desktop-class workstation with one NIC in it. The only security on this little machine was the security inherent in Microsoft Windows NT4.

“It was sitting on our network out in the public for the whole world to see and the whole world to hit. But it worked, for the size of the company—most of the time,” Laun said. “The VPN was simply an easy way for people to connect in one spot and get all the resources they would normally see in the office.”

The VPN wasn’t the only security hole in the TechRepublic network. The IT staff worked to implement a private network with firewalls and other security features. While that was being done, the company had its old public-side network coexisting with its new, private network that consisted of four or five VLANs.

It’s never as easy as you think
At TechRepublic corporate offices in Louisville, KY, the IT staff was implementing two VPN servers running NT4. Because it takes time to migrate everything and everyone in any organization from a public to private network, each VPN server had two NICs multihoming the private and public networks, Laun said.

“By having two resources, this spread the load out a little bit so everyone wasn’t hitting the same thing—the same tiny little workstation we had set up for VPN,” Laun said. “It made connectivity much more reliable.”

Connection times of only 15 to 20 minutes before users were booted off the VPN were typical with the single, underpowered, machine. This increased to 400 or 500 hours without a loss of connectivity when the VPN load was divided between the two servers. When there were connectivity losses, they were due to an ISP problem that took a T1 down.

The implementation of the two VPN servers solved another issue. There was a problem with a router that was trying to connect VPN users from the public network to the private network.

There were problems with the VLANs talking to the router on the public side of the network that was supposed to handle the VPN chores, Laun said. The IT department discovered the VLANs hadn’t been set up properly and the router didn’t have enough memory to handle the load.

They were able to eliminate that router altogether with the two new VPN servers.

Progress marches on
Even though the VPN servers have been solid and stable, TechRepublic is currently implementing hardware-based VPN using Cisco 2621 and 7120 routers for site-to-site VPN tunneling.

The Cisco routers will improve the security of the network by removing potential access to server accounts or any hardware access at all, except to the router.

“Anytime you have an NT server sitting out on a public network, it’s open for hackers. You can only lock down NT so much,” Laun said.

Windows NT has been around a number of years and is designed for people to access it, he said. NT’s security primarily depends on access permissions. Everyone knows the “local administrator” account exists, and some people will sit on the Internet monitoring the traffic to catch the password to the administrator account. When that happens, they are in your network, he said.

“The Microsoft solution for VPN is fantastic for a vast majority of start-up businesses and even major companies, but the hardware solution is much more secure and much more reliable, in general,” Laun said.

The biggest argument against using the Cisco hardware solution for VPN is the cost of the routers and the expertise that is needed to get them to work properly with any specific set of hardware and software.

Cisco routing is still a mystery to many people, partially because there is no graphical interface and the command line instructions are pretty cryptic, Laun said. All that trouble is offset by the security and reliability the hardware VPN solution provides, he said.

Another aspect of the hardware solution is that there will be Cisco VPN routers in all of TechRepublic’s other offices. Now the routers are so locked down they will only allow traffic from router to router that has a specific IP address. That’s one specific IP address out of all the possible IP addresses out there.

“You’ve taken everything out of the loop except IP address, and the only threat there is IP masking, and that is not easy,” Laun said, adding that there are going to be invisible but profound psychological effects for TechRepublic’s employees in all of its satellite offices.

“People in New York, California, or Minnesota are going to feel like they are right here and feel like they are really part of our network,” he said. Setting up a computer in any office will be just like setting one up in the home office.

“[Our traveling users] can sit down at a desk in any of our offices and plug their laptops in and go,” Laun said. “There will be nothing there that they will have to change. That’s our goal.”
Did you have a similar experience at your organization setting up VPN? Have you found a better way to do it? Is the evolution of VPN service different between an Internet start-up like ours and an established business? Post a comment below or send us a note.