43 Remote access services, or RAS, is composed of banks of incoming, on-demand telco lines for connecting remote users or networks. This could range from a terminal server with several modems to a RAS server with incoming PRI lines PRIs are digital T1 lines channelized for 23 ISDN or modem connections. Figure 3-2 shows a simplified RAS solution, with its RAS server and incoming networks and users. Figure 3-2. Dial-up connections The virtual private network, our VPN, is somewhat more complex, as you may have gleaned from previous chapters. The VPN concept, of course, is to allow users or networks to access central private network resources securely via the Internet. There are three basic solutions that mirror both WAN and RAS implementations: the point-to-network, the network-to-network, and the integrated solution. The point-to-network solution is meant to replace RAS as a primary connection method for the typical end user. Instead of dialing in to a central RAS point, the user dials in to a regional Internet service provider and connects to the private network via some secure protocol i.e., SSH, PPTP, L2TP, etc.. The network-to-network solution is similar except that the remote network connects to an ISP and sends its private communication to a central firewall or VPN server equipped with a secure protocol. The Cisco PIX firewall and the IPSec protocol fall into this scenario, though IPSec is also available for point-to-network connections. The integrated solution is generally VPN servers, firewall software, or dedicated hardware, or a combination of all three that allows both networks and end users to access the private network. IPSec products such as Checkpoint Firewall-1 are considered integrated solutions. Figure 3-3 shows a generic integrated solution using an IPSec firewall for connecting networks and a PPTP server for incoming end user connections. 44 Figure 3-3. Virtual private network for WAN and dial-up connections It is important to note that most WAN and RAS networks also have connections to the Internet. While the examples to follow do not assume an Internet connection, in todays networking world, converting from a WAN or RAS solution to a VPN would actually cut costs, as extraneous telco lines could be dropped and WANRAS-specific equipment and personnel could be used for other purposes. What is left is only to purchase and implement a VPN solution and increase bandwidth to the Internet.

3.2 VPN Versus WAN

This section illustrates how to use a VPN to solve WAN issues, and the various comparison points between the two. In sticking with our six generic criteria, we explore the small to medium VPNWAN and the large VPNWAN in turn, as each has its own specific issues.

3.2.1 Small to Medium Solutions

While this is a broad topic, we will define a small to medium network as anything under 100 nodes including the central network. Figure 3-4 compares a typical small to medium WAN to its VPN counterpart. Both scenarios include a small remote network that needs to connect to a central network resource. 45 Figure 3-4. Leased-line solution versus virtual private network

3.2.1.1 Telco

The WAN connection could use an ISDN line if the remote network is within the local calling area of the main office. If the remote office is out of this area, a leased 56K bps frame relay line would be the best bet. The big difference is that an ISDN line usually does not incur per- minute charges if the call is local, but would rack up long distance charges otherwise. However, some calling areas do incur per-minute charges for local ISDN calls. A frame relay line typically has a flat rate per-month charge, and is generally more expensive than an ISDN line, especially considering any mileage charges associated with the line. ISDN offers more bandwidth up to 128Kbps with a single basic rate ISDN line. Two 56Kbps leased lines would be needed to even get close to this level of bandwidth 112Kbps. The choice between the lines comes down to estimated usage and relevant charges associated with usage, as well as bandwidth needed to the remote site. Note that an ISDN or frame relay line is required on both ends of the connection. For networks with a hundred nodes or less, 128Kbps is adequate bandwidth in most cases. A VPN could use either frame relay or ISDN, but the line would connect to a local Internet service provider. If both offices are in the same calling area, the same ISP should be used, reducing the odd nature of Internet routing that is, ISPs across town routing traffic to each other across the country. If the remote office is outside the calling area of the central office, the ISP chosen from both sides should be connected to the same upstream Internet provider, if possible. This will significantly reduce Internet routing issues and increase the speed and reliability of the virtual private network. Both sides of the connection still require a line installed locally, be it ISDN or frame relay. Again, 128Kbps is adequate for a network of 100 nodes or less.