Connecting remote users and branch offices with VPN
Obviously, your network needs to be connected to the Internet. But that’s easy, right? All you have to do is call the cable company and have them send someone out. They’ll get you hooked up in a jiffy.
Wrong. Unfortunately, connecting to the Internet involves more than just calling the cable company. For starters, you have to make sure that cable is the right way to connect. Then you have to select and configure the right device to connect your network to the Internet. And, in all likelihood, you have to figure out how to provide remote access to your network so you can connect from a hotel room on a business trip or link up with the branch office in Albuquerque. And finally, you have to lie awake at night worrying whether hackers are breaking into your network via its Internet connection.
Not to worry. The advice in this chapter helps you decide how to design your wide area network (WAN) architecture. This includes your Internet connection, as well as remote access options.
Connecting to the Internet
Connecting to the Internet isn’t free. For starters, you have to purchase the computer equipment necessary to make the connection. Then you have to obtain a connection from an Internet service provider (ISP). The ISP charges you a monthly fee that depends on the speed and capacity of the connection.
Choosing an ISP and negotiating a contract is a basic first step in setting up a WAN connection for your private network. The following sections describe the most commonly used methods of connecting network users to the Internet.
Connecting with cable or DSL
For small and home offices, the two most popular methods of connecting to the Internet are cable and digital subscriber line (DSL). Cable and DSL connections are often called broadband connections for technical reasons you don’t really want to know.
Cable Internet access works over the same cable that brings 40 billion TV channels into your home, whereas DSL is a digital phone service that works over a standard phone line. Both offer three major advantages over old-fashioned dialup connections:
Cable and DSL are much faster than dialup connections. A cable connection can be anywhere from 10 to 200 times faster than a dialup connection, depending on the service you get. And the speed of a DSL line is comparable with cable. (Although DSL is a dedicated connection, cable connections are shared among several subscribers. The speed of a cable connection may slow down when several subscribers use the connection simultaneously.)
With cable and DSL, you’re always connected to the Internet. You don’t have to connect and disconnect each time you want to go online like you would if you use a modem. No more waiting for the modem to dial your service provider and listening to the annoying modem shriek while it attempts to establish a connection.
Cable and DSL don’t tie up a phone line while you’re online. With cable, your Internet connection works over TV cables, not over phone cables. With DSL, the phone company installs a separate phone line for the DSL service, so your regular phone line isn’t affected.
Unfortunately, there’s no such thing as a free lunch, and the high-speed, always-on connections offered by cable and DSL don’t come without a price. For starters, you can expect to pay a higher monthly access fee for cable or DSL. In most areas of the United States, cable runs about $50 per month for residential users; business users can expect to pay two to three times that for the same speeds, primarily because the providers expect a higher level of usage and offer a slightly better service level for business connections.
The cost for DSL service depends on the access speed you choose. In some areas, residential users can get a relatively slow DSL connection for as little as $30 per month. For higher access speeds or for business users, DSL can cost substantially more.
Besides the cost, there are a few inherent disadvantages with DSL and cable providers:
Cable and DSL are asymmetrical technologies, which means that their download speeds are much faster than their upload speeds. For example, a circuit that can download at 100 Mbps is probably limited to about 10 Mbps for upload speeds. For many users, this is acceptable. But if you need to upload data as often as you need to download, the asymmetrical nature of cable and DSL will be a drawback.
Business-class cable and DSL provides “best effort” service levels. The provider will do its best to keep the connection up and respond to issues, but there is no guaranteed service level. When the service goes down, it can be down for a few hours or a few days.
And it will go down. Most users find that business-class cable and DSL are unreliable. Some users find that short service interruptions are an almost daily experience. The reason is that both cable and DSL service are shared services. The performance you get depends on what else is happening nearby. If all your neighbors suddenly start streaming the latest big thing on Netflix, your performance will suffer. Business-class cable and DSL don’t claim to be 100 percent reliable — and they aren’t.
Cable and DSL access aren’t available everywhere. But if you live in an area where cable or DSL isn’t available, you can still get high-speed Internet access by using a satellite hookup or a cellular network.
Connecting with T1 lines
Telephone providers such as AT&T, Time Warner, and others offer Internet service over dedicated copper phone lines using a time-proven technology called T1. I say “time-proven” because the original T1 service was developed in the 1960s, decades before the Internet even existed. T1 is not particularly fast — a single T1 line carries data at a paltry 1.44 Mbps. You can bond multiple T1 lines together to increase the speed, but you’d have to use 35 T1 lines to get 50 Mbps service. Newer versions such as T3 provide faster service (44.184 Mbps) but cost considerably more.
Although T1 is not the best type of service available (see the next section, “Connecting with fiber”), it’s an improvement over business-class cable or DSL from a service and reliability perspective. Your carrier will provide a guaranteed service-level agreement (SLA) with a T1 line and will give you priority service if a problem occurs.
In addition, T1 service is symmetrical and predictable. Upload and download speeds are the same, so if you have ten T1 circuits that aggregate to 14.4 Mbps, you’ll get that performance level for both uploads and downloads. And because the circuits are dedicated to your network, the performance will be consistent — it won’t slow down in the afternoon when school gets out and kids start gaming over the Internet with their home cable or DSL connections.
If you don’t have enough users to justify the expense of an entire T1 or T3 line, you can lease just a portion of the line. With a fractional T1 line, you can get connections with speeds of 128 Kbps to 768 Kbps; with a fractional T3 line, you can choose speeds ranging from 4.6 Mbps to 32 Mbps.
You may be wondering whether T1 or T3 lines are really any faster than cable or DSL connections. After all, T1 runs at 1.544 Mbps and T3 runs at 44.184 Mbps, and cable and DSL claim to run at much faster speeds, at least for downloads. But there are many differences that justify the substantial extra cost of a T1 or T3 line. In particular, a T1 or T3 line is a dedicated line — not shared by any other users. T1 and T3 are higher-quality connections, so you actually get the 1.544 or 44.184 connection speeds. In contrast, both cable and DSL connections usually run at substantially less than their advertised maximum speeds because of poor-quality connections and because the connections are often shared with other users.
Connecting with fiber
The fastest, most reliable, best, and of course most expensive form of Internet connection is fiber-optic. Fiber-optic cable uses strands of glass to transmit data over light signals at very high speeds. Because the light signals traveling within the fiber cables are not subject to electromagnetic interference, fiber connections are extremely reliable; about the only thing that can interrupt a fiber connection is if someone physically cuts the wire.
Fiber connections are typically available starting at 20 Mbps and ranging up to 1 Gbps. Obviously, the 1 Gbps service will cost a lot more than the 20 Mbps. But the cost of increased speed is incremental. For example, 20 Mbps might cost $800 per month, but 50 Mbps might be $1,000 per month and 100 Mbps might be $1,200 per month. In other words, the cost per megabit per second goes down as the speed increases.
Costs vary greatly depending on your location, so the only way to find out for sure is to get quotes from providers in your area.
In most major communities throughout the United States, providers are still building out their fiber-optic networks. The cost to bring fiber to your location may be prohibitive if you’re in an area that isn’t yet developed. If a provider already has fiber under the street running right past your building, getting fiber to your business will be relatively inexpensive. But if the nearest fiber is 5 miles away, the cost may be prohibitive.
You may be able to negotiate with the provider if you’re willing to commit to a longer term of service, such as three, four, or even five years. That will make their investment more worthwhile. It also helps if you’re in a business area where you’ll be the first fiber customer but there is a potential customer pool nearby that the provider can tap into. If you’re the only business out on the edge of town, you may not be able to convince anyone to bring fiber to you.
Phone service can be delivered via a fiber connection and bundled for one price. That can work to your advantage, because the provider will be more willing to bargain on the overall deal if the phone service is included.
Connecting with a cellular network
In areas where wired service (such as cable or fiber) is not available, you may be able to find wireless service, which provides Internet access using cellular or other wireless technology.
Cellular connections are not particularly fast, but they’re getting faster all the time. The current generation of cellular technology (4G) can consistently achieve speeds in the neighborhood of 10 to 12 Mbps for download, with peak speeds approaching 50 Mbps. Upload is a bit slower, usually in the 5 Mbps range.
However, actual performance depends a lot on your location. I’ve seen 4G service as bad as 0.1 Mbps. You should use a smartphone to test the upload and download speed in your area before committing to a cellular solution.
The next-generation cellular technology (5G) hasn’t rolled out yet, but it promises to be much faster, with speeds as much as 100 Mbps in major metropolitan areas.
With a cellular connection, the cost isn’t so much the speed but the amount of data transferred. Individual cellular contracts run about $50 to $100 per month, but they typically limit the amount of data to about 5GB or 10GB per month. You can expect to pay considerably more than that if you need more data.
Choosing a Router
After you choose a method to connect to the Internet, you can turn your attention to setting up the connection so that your private network can access the Internet. The provider you select for your Internet connection will give you an Ethernet handoff, which is simply an Ethernet port that you can use to connect to your private network. You’ll need a router to make that connection. The router is the device that provides the link between your private network and the Ethernet handoff that leads to the Internet. (For more information about routers, refer to Book 1, Chapters 2 and 3, and Book 2, Chapter 4.)
Because all communications between your network and the Internet must go through the router, the router is a natural place to provide the security measures necessary to keep your network safe from the many perils of the Internet. As a result, a router used for Internet connections often doubles as a firewall, as described in the “Securing Your Connection with a Firewall” section, later in this chapter.
Choosing a small office router
For a small office, you can probably get by with a consumer-grade router that you can purchase at a local electronics retailer such as Best Buy. Figure 2-1 shows one such router, a Linksys WRT1900AC. This router has the following specifications:
A WAN connection that lets you connect to your ISP’s Ethernet handoff.
A four-port 1 Gbps Ethernet switch. You can use this to connect up to four PCs, or to connect to an external switch for additional computers.
A Wi-Fi Access Point that works with most 802.11 Wi-Fi standards, including 802.11ac.
A USB 3.0 port that lets you connect a USB disk drive to provide storage accessible throughout your network.
To learn more about this router and other routers offered by Linksys, visit www.linksys.com.
Choosing an enterprise router
For larger networks where greater throughput and more control is needed, you’ll want to select an enterprise-grade router. There are many brands to choose from, but most professionals select a Cisco router. Figure 2-2 shows several models of one of their popular routers, the ASA 5500-X series.
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted.
These routers range from small tabletop units to powerful rack-mounted units that are capable of serving networks of all sizes. ASA stands for Adaptive Security Appliance; as the name suggests, these devices aren’t just routers but incorporate state-of-the-art firewall capabilities.
Table 2-1 outlines the basic capabilities of six models of the ASA 5500-X that are appropriate for most networks.
As you can see, the main difference between these models is the total throughput that can be supported. To support the higher bandwidth, the higher model numbers have faster CPUs and more RAM than the lower model numbers. Additional models of the ASA series can support substantially more bandwidth, but these models are sufficient for nearly all midsize networks.
The ASA 5506-X is designed primarily as a small branch router, where a dedicated equipment room with a 19-inch rack may not be available. The other models are rack-mountable and more appropriate for larger networks where a dedicated equipment room is available.
These routers are not cheap — the list prices range from just under $1,000 to almost $45,000, depending on the exact options selected. But the performance, reliability, and flexibility they afford are well worth the cost.
If you opt to use a cellular connection for Internet, either as your office’s primary connection or as a fail-over connection in case your primary connection goes down, you’ll need a router that can interface with a cellular modem. Cellular modems are usually USB devices, so your router will need to provide a USB external port to connect the cellular modem to.
Securing Your Connection with a Firewall
If your network is connected to the Internet, a whole host of security issues bubbles to the surface. You probably connected your network to the Internet so that your network’s users can get out to the Internet. Unfortunately, however, your Internet connection is a two-way street. It not only enables your network’s users to step outside the bounds of your network to access the Internet, but it also enables others to step in and access your network.
And step in they will. The world is filled with hackers who are looking for networks like yours to break into. They may do it just for the fun of it, or they may do it to steal your customers’ credit card numbers or to coerce your mail server into sending thousands of spam messages on behalf of the bad guys. Whatever their motive, rest assured that your network will be broken into if you leave it unprotected.
A firewall is a security-conscious router that sits between the Internet and your network with a single-minded task: preventing them from getting to us. The firewall acts as a security guard between the Internet and your private network. All network traffic into and out of the private network must pass through the firewall, which prevents unauthorized access to the network.
Some type of firewall is an absolute must if your network has a connection to the Internet, whether that connection is broadband (cable modem or DSL), T1, fiber, cellular modem, smoke signals, carrier pigeon, or anything else. Without it, sooner or later a hacker will discover your unprotected network and tell his friends about it, and within a few hours, your network will be toast.
You can set up a firewall in two basic ways:
Firewall appliance: The easiest way, and usually the best choice. A firewall appliance is basically a self-contained router with built-in firewall features.
Most firewall appliances include web-based interfaces that enable you to connect to the firewall from any computer on your network by using a browser. You can then customize the firewall settings to suit your needs.
Server computer: Can be set up to function as a firewall computer.
The server can run just about any network operating system, but most dedicated firewall systems run Linux.
Whether you use a firewall appliance or a firewall computer, the firewall must be located between your network and the Internet, as shown in Figure 2-3. Here, one end of the firewall is connected to a network switch, which is, in turn, connected to the other computers on the network. The other end of the firewall is connected to the Internet. As a result, all traffic from the LAN to the Internet (and vice versa) must travel through the firewall.
FIGURE 2-3: A firewall router creates a secure link between a network and the Internet.
The term perimeter or edge is sometimes used to describe the location of a firewall on your network. In short, a firewall is like a perimeter fence that completely surrounds and protects the edge of your property and forces all visitors to enter through the front gate.
In large networks, figuring out exactly where the perimeter is located can be a little difficult. If your network has two or more Internet connections, make sure that every one of those connections connects to a firewall — and not directly to the network. You can do this by providing a separate firewall for each Internet connection or by using a firewall with more than one Internet port.
Some firewall routers can also enforce virus protection for your network. For more information about virus protection, see Book 9, Chapter 2.
Providing Redundancy for Your Internet Connection
Important considerations when designing how your private network will connect to the Internet are the reliability of your Internet connection and the importance to your company for having that connection be reliable. For some companies, an occasional disruption in Internet connectivity is acceptable. For others, it isn’t — business grinds to a halt, and money is lost for every minute the Internet is down.
If that’s the case, you’ll want to provide at least two pathways to the Internet: a primary Internet connection and a backup Internet connection. The backup connection is often called a fail-over connection, because it comes into play only when the primary connection fails. With the right setup (and proper configuration), fail-over can happen automatically. When the primary Internet connection drops, the gateway router can instantly switch over to the backup connection. Then, when the primary connection is re-established, the gateway router can revert to it.
In most cases, you can get away with a slower and less reliable connection for the backup. For example, you might have a fiber-optic connection as your primary connection and use business-class cable as the backup. Fiber-optic connections are very reliable, but they do go down from time to time. Especially when a back-hoe operator doesn’t realize that he or she is digging in the middle of a street where your provider’s fiber run lies buried.
Business-class cable isn’t nearly as reliable as fiber, but what are the odds that both will be down at the same time? Not likely, because most providers use separate routes for their fiber and cable runs. So, a single mishap with a back-hoe is unlikely to take out both.
If you do use a backup Internet service, you’ll need to ensure that your router can support automatic fail-over. That means you’ll need to use an enterprise-grade router such as the Cisco ASA 5500-X series described earlier in this chapter.
If you use a backup Internet service with automatic fail-over, be sure to test it periodically. The easiest way to do that is simply to unplug the cable from the primary Internet Ethernet handoff to the router, and then see if your router has switched over to the backup connection. If you can still reach the Internet, your fail-over is working. (If you want to keep what friends you have at your company, I suggest conducting this test after hours.)
Securing Connections to Remote Locations and Users
One final topic for this chapter is providing secure connections for remote users. These can be individuals who need to occasionally work from home or from the road, telecommuters who have convinced their boss to let them work from a home office, or branch offices that need a permanent connection to the main office network.
The solution to all these situations is a virtual private network. A VPN works by establishing a secure tunnel between two devices that are connected to the Internet. For the private network at your main office, the gateway router will provide the VPN capability. Remote users can run VPN software on their computers to connect to the main office VPN; remote sites such as branch offices should use gateway routers that can permanently (and transparently) connect to the VPN.
As part of your WAN network planning, you should identify all the VPN capabilities that your network will require. This will help you choose appropriate routers, because less expensive routers don’t usually provide VPN features.
Figure 2-4 shows an example of a network drawing that shows four VPN tunnels — three to remote offices and one for mobile users. To support this network, you’d need a router that can let you create at least four separate VPNs. So, a consumer-grade gateway won’t be sufficient for this network. In the figure, I specify various Cisco ASA routers to use for the VPN connections.
FIGURE 2-4: A network that requires four VPN connections.
For more information about VPN, refer to Book 4, Chapter 6.
Looking at WAN connection options
You may be wondering whether T1 or T3 lines are really any faster than cable or DSL connections. After all, T1 runs at 1.544 Mbps and T3 runs at 44.184 Mbps, and cable and DSL claim to run at much faster speeds, at least for downloads. But there are many differences that justify the substantial extra cost of a T1 or T3 line. In particular, a T1 or T3 line is a dedicated line — not shared by any other users. T1 and T3 are higher-quality connections, so you actually get the 1.544 or 44.184 connection speeds. In contrast, both cable and DSL connections usually run at substantially less than their advertised maximum speeds because of poor-quality connections and because the connections are often shared with other users.
Some type of firewall is an absolute must if your network has a connection to the Internet, whether that connection is broadband (cable modem or DSL), T1, fiber, cellular modem, smoke signals, carrier pigeon, or anything else. Without it, sooner or later a hacker will discover your unprotected network and tell his friends about it, and within a few hours, your network will be toast.
