Re: Secure WAN Setup (Possibly off topic?)

[Bennett Todd <bet () rahul net>]

2003-03-06T13:30:42 Chris Berry:
> The budget for this setup is probably less than $5000 though thats
> still a grey area.

If that budget includes costs for initial setup and first year for
the WAN connectivity, I think you've run out of choices --- I don't
think you're going to be using any sort of leased lines, not even
frac T1, for that kind of price. Maybe, possibly ISDN, if you have
someone with the special black magic voodoo dolls required to coerce
your local telco to deliver that service.

> I need to decide if both organizations should continue sharing a
> main database, or if the second organization should purchase their
> own.

That would depend on details you haven't mentioned --- possible
security motivations, and performance questions, which would depend
greatly on application architecture and middleware choices.

> Leased line or Internet VPN?

That's easily identified as pure cost -vs- performance tradeoff.
It's pretty easy to get a leased line that delivers better
performance than the internet, the internet isn't really all that
fast; and the internet at large has no service level commitment,
whereas it's not hard to find leased line arrangements where the
vendor delivers a hard commitment to certain performance levels
(although, as always, if it comes to a trip to court, whoever can
afford the bigger lawyers, wins, so if the connectivity provider is
big enough that you're confident that they'll still be in business
in a couple of years, you probably can't afford to enforce any SLA
commitment --- and they know it).

If your office can tolerate the typical Service Levels (works well
enough for small office VPN 99% of the time is not a bad guess) for
the Internet, or if you can't afford a leased line, then it's an
easy choice.

Whether you use a leased line or internet, a VPN would be a good
idea; that puts entire control over the transit security in your
hands.

For this, I'd recommend going with a platform you're comfortable
with. Establishing and maintaining an interoffice VPN link is a
little intimidating the first time you try it (although once you get
it working it should just work and work and work, you can forget
it's even there); why add extra stress from an unfamiliar platform.

I've done this before, four offices, somewhat larger than your
setup; did it with FreeS/WAN on Red Hat Linux, worked like a champ.
If I were doing the same thing now --- deploying Linux boxes as
firewall/internet-server/interoffice-vpn combo appliances, I'd do it
with Red Hat 7.3 using CIPE --- CIPE is specialized for this role,
whereas IPSec (the protocol implemented by FreeS/WAN) was designed
to solve every conceivable problem that anybody in the room could
dream of, even when they were hung over. It shows.

-Bennett

Attachment: _bin
Description: