Using The Internet As A WAN Link? Use A VPN.
Stable and secure Windows Networking depends upon properly designed, routed, subnets. IP routing was designed to make Local Area Networks connect, yet still observe geographical relationships. Using routers between LANs allows localisation of some domain services (browsing, name resolution), but wide spread availability of others.
When you route IP connectivity thru wiring that you own and control, that's behind a firewall, each connected LAN is as safe as any of the other LANs. Threats on the outside (Internet) stay on the outside. Two geographically separate LANs, connected by a dedicated, leased communication line, are as safe as each other is safe.
What if you have 2 LANs, distant from each other, and can't justify the expense (initial or ongoing) of a leased or owned communication line? If both LANs have Internet access, you can still connect them; just use the Internet as the WAN link.
But wait! I hope you know how dangerous the Internet can be. It's bad enough when accessing it as clients. Plain old web browsing is bad enough, how about running a server on the Internet? OK, how about running all of the computers on your LANs thru the Internet? Why not hold up a $100 bill, and stroll thru Times Square in New York City? See if you get anywhere alive.
But you can connect your LANs thru the Internet, if you design the connection properly. A controlled, encrypted tunnel between your LANs, using routers that support a Virtual Private Network (aka VPN) will do this fine.
A VPN will be a lot easier to setup, and more stable and secure, when properly planned.
- All sites have a fixed IP address on the WAN (Internet).
- All sites use compatible VPN routers (identical make / model is best).
- The internal (LAN) subnets are different.
- You use DNS for name resolution.
- You use domains, not workgroups, to make browsing (Network Neighbourhood) reliable.
- You standardise connectivity between each LAN and the Internet.
- You standardise security policies between each LAN.
>> Top
Each LAN Is Addressed By Its WAN Address.
The VPN routers setup static tunnels between each other. Setting up a VPN router requires identifying the other router(s), by its IP address as well as by a pre installed certificate (aka pre shared authentication key). If you can't provide a fixed IP address for each router, you'll have to use a domain name, registered with a dynamic DNS service like DynDNS, TZO, or the like.
>> Top
Hardware Compatibilty Is A Must.
There are various conventions and standards for establishing, and conducting, authentication and encryption in a VPN. Each router manufacturer will likely have some variation, however small. The easiest, and most stable, VPNs will use router hardware of the same make, model, and firmware level at each end of a VPN tunnel.
>> Top
LAN Subnets Must Be Unique.
A VPN provides a routed connection between LANs. In order for routing to work best, you have to have different subnets on each LAN. When you setup a VPN between LANs that were setup before being connected, you may have some LANs using the same subnet. You can't have stable LANs, each having the same subnet, connected by a router.
>> Top
Use DNS For Reliable Name Resolution.
On most small LANs, you'll use broadcasts for name resolution. Broadcasts aren't routable; each IP subnet is, by definition, a broadcast domain. If you want computers on one subnet to access computers on another (which is, presumably, why you're setting up a VPN), you'll find computer names more convenient than IP addresses. Some VPNs will, if configured, pass SMBs for name resolution and browsing, but this will likely slow down Windows Networking. DNS based name resolution is the best way to go, for anything more complex than a single local cluster of computers.
>> Top
Use Domains, Not Workgroups.
If you use Network Neighbourhood to identify and access other computers, you'll need browsing to work between the subnets connected thru the VPN. A properly designed domain structure will make browsing work much better.
>> Top
Connectivity Between Any LAN And The Internet Can Affect Its Connection With The Others.
A VPN connection between any two LANs requires regular interchange of control information, and irregular application data. Balanced connectivity makes both more predictable. If one LAN has a dual WAN business class DSL service, and the other has residential class dialup, how secure and stable will that VPN be?
>> Top
Security On Any LAN Can Affect The Others.
VPNs are used to connect geographically separate LANs, and imply some degree of trust between those LANs. The computers on any LAN, connected to a VPN, are only as secure as the computers on the LAN with the weakest security policies. Review, and synchronise security policies before setting up a VPN.
If you wish to setup a VPN between your home network and your work network, security at your work may be compromised. You should always get permission from LAN administration, before doing this. You may be legally at risk without such precautions.
>> Top
Increased Sophistication and Excess Bandwidth Mitigates These Issues.
As availability of VPNs has increased, with VPN capable hardware sold in WalMart and similar convenience stores, and as VPN firmware becomes more sophisticated, each endpoint in a VPN relationship will be better able to adjust to differences between its own environment and the environment present at the other end. Many of the above issues won't be quite as relevant in the future. But if you start out being aware of the issues, you will be prepared to deal with them when they do become relevant.
>> Top
0 comments:
Post a Comment