53 In order to maintain the integrity of the private network, the network administrator will have to monitor the VPN systems logs, error reports, and other documentation very closely. Users must be trained extensively in security issues, such as password and digital key integrity and confidential information procedures. The main anxiety for the systems administrator is that the entire Internets host of criminals looking for a challenge will have a shot at your private network. These people will try to break in to your system, but common sense and precautions will keep your private network from being an easy target. The network administrator can expect to spend 20 to 40 hours a month dealing with ISP, security, and Internet issues.

3.3.1.4 Security, scalability, and stability

Like WAN solutions, the VPN is by far more economical than RAS with regard to scalability, but scalability translates directly into economy. As the network expands, an RAS service could devour more than half of the network departments budget and time, while a VPNs cost can be kept at a more manageable level. And, while not entirely stable, a VPN is at least as stable as RAS. Users still dial in to a central point, but the burden of maintenance and support is on the ISP, not the organizations network administrator. While your local administrator may be as knowledgeable, those running an ISP are focused almost entirely on their RAS services. The network administrator in an organization has a plethora of issues to address daily. The VPN lightens this load, somewhat. The complete security of a RAS service is not as assured as a WAN, though it probably equals that of a VPN. Anyone with a modem and a password can hit the organizations RAS services. Attacks on private RAS pools are as old as the profession of hacking itself. With VPNs you have the security of encrypted traffic, including passwords, usernames, and, in many cases, IP addresses and communication ports via firewalls. While the Internet is the staging ground for most network attacks today, a VPN will keep a medium-sized network as safe as it can be.

3.3.2 Large Solutions

A large network is a prime candidate for replacement of RAS with a virtual private network. Figure 3-7 compares the two solutions. With a large RAS solution, many times there are small- to medium-sized remote sites connecting to the central network, in addition to roaming and static end users. Sales personnel calling from remote customer sites in other countries, developers telecommuting from home, and many other scenarios make a RAS pool a living nightmare for a network administrator. With the VPN, not only are costly long distance charges avoided, but the flexibility and scalability allow for efficient evaluation of upgrade and end user needs. 54 Figure 3-7. Leased-RAS versus virtual private network on a large network

3.3.2.1 Telco

A remote access site of this size requires at least a 1-to-5 ratio of lines to users. The example network on which weve based this section has about 450 users of the system and 180 incoming lines. Several of these lines are dedicated ISDN connections for nearby branch offices, and are connected 24 hours a day. The remaining lines are carried on PRI ISDN lines, which allows for 23 analog andor digital connections simultaneously per PRI. The only other addition to the telecommunications puzzle piece is an 800 access line for roving users. Though this is an expensive route, an 800 number is still cheaper than a long distance call for traveling users of the system. With the VPN, the minimum connection to an ISP is a fractional T3 line. The T3 is connected to a large national Internet service provider, such as BBN Planet or Sprint. Connecting through such a large ISP may be more costly, but it will save the system administrator headaches when there is a problem. National ISPs tend to have better support and some sort of notification system when problems are anticipated or emergencies arise. Another benefit of staying with a national ISP is the availability of service for all users and remote sites and the strength of their national backbone. Most national ISPs also offer other Internet services such as modem or ISDN dial- up. This allows the organization to standardize on an Internet carrier, and thus have a single point of contact. For the remote offices, an ISDN connection to the ISP is required, though it need not be a dedicated connection unless the sites network is large or has an around-the-clock need for a constant connection to the main office or the Internet. The individual users have a choice of either modem or ISDN dial-ups, as the individual need requires.