Network Design Concepts with Tunneling
As you start to see how tunneling works, it is important that you understand how it fits into your environment. Although it is possible to implement most VPN designs because of the flexibility of the technology, some designs work better than others. It is up to the network architect to decide what is best for a particular environment. Several areas need to be addressed, such as network infrastructure, network topology, and firewalls.
To start, the network administrator must make sure he or she is familiar with the current network environment. To roll out a secure network environment, you must have an accurate inventory of the current network topology. This can be a huge challenge, depending on the size of the network. A good way to track down external links is to analyze phone bills. The accounts from the phone company will show leased lines, as well as links that might have been installed long ago. I have seen networks that have grown so much or have been involved in so many mergers that no one knows the details of all of the links. Until such data is discovered and documented, potential security problems and possible technical issues are inevitable.
Another problem the network administrator has to consider is the type of protocols that need to be supported. More and more networks are moving toward the exclusive use of TCP/IP. But there are certainly exceptions to this. Your VPN infrastructure might need to support IPX, AppleTalk, NetBEUI, and others. You must know which protocols are needed before you can implement the VPN rollout.
For example, you need to know whether it's necessary to continue to support IPX for legacy NetWare servers. If your tunnel server is a Windows 2000-based server and the clients still need to access NetWare servers, they must use either PPTP or L2TP to access the corporate network because those protocols permit IPX. This protocol requirement also affects the router configuration and the client configuration. This additional configuration consideration must be part of your deployment plan.
Network topology plays an important role in the design of your corporate VPN plan. First, you must have a thorough knowledge of your routing environment. Your VPN clients and servers have to fit into the routing infrastructure of your network. Otherwise, your routing infrastructure needs to be changed to reflect your VPN rollout. There are a tremendous number of options when it comes to routing with VPNs, and each network has different needs and, likely, different paths.
The network topology is critically important to the design of a VPN-based solution for branch office links. Your design must fit with the existing infrastructure, or the new routes will never work.
The network administrator must have a full understanding of TCP/IP and routing, as well as knowledge of the existing network. When tunnel servers are introduced, even for just client access, a number of network issues must be addressed. The plan needs to be defined for DDNS, DHCP scope options, routes, network load, external addresses, and more. None of these designs should be planned until the existing network infrastructure and topology is fully understood.
Your firewall configuration is very important to VPN design. In large organizations with a number of firewalls, a common problem is that not all the firewalls are configured in the same way. In fact, many companies have different types of firewalls, connected in various different ways. Because the firewalls affect the way you roll out your VPN, it is extremely important that the configuration be consistent throughout the organization. The firewalls need not be the same type, but you need to be able to get the same results from each.
Firewall configuration is also going to be a big issue because of demilitarized zones, protocol passthrough settings, and ACLs. It is extremely important that the network administrator coordinates and manages the firewall settings as they relate to VPNs. Because the firewall is the lifeline to the network, when a firewall is misconfigured, it can bring the network down. I cover this in detail in Chapter 8, "NAT and Proxy Servers."
Some network environments might not even have firewalls at remote sites. These networks rely on packet filtering (packet filtering is also a type of a "firewall" that blocks unauthorized traffic). Additionally, some remote access clients, either by network policy or manually, might want to initiate packet filtering at the time of the connection to the VPN. These strategies help ensure that no unauthorized traffic comes into the Internet-accessed corporate network resources through the VPN. Packet filtering issues need to be addressed based on the needs of the corporate network.
Many VPN network designs rely on both one-way and two-way initiated connections using the demand-dial routing features of Routing and Remote Access Service (RRAS). This dictates how your VPN routing environment should be defined. It also dictates how security zones are implemented from a routing point of view.