Your SlideShare is downloading. ×
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
VPN as the Key for a Successful MSP Business
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

VPN as the Key for a Successful MSP Business


Published on

“VPN as the Key for a Successful MSP Business” is a Tactical eHandbook that reveals Virtual Private Networks as the tactics of a successful delivering of managed services and presupposes that you are …

“VPN as the Key for a Successful MSP Business” is a Tactical eHandbook that reveals Virtual Private Networks as the tactics of a successful delivering of managed services and presupposes that you are an IT Services Provider whose strategy is delivering of managed services already. Please be aware that Virtual Private Networks are considered in the eHandbook as a way of delivering of managed services, but not as a service itself.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Tactical eHandbook
    by Safar Safarov
  • 2. Foreword [ 3 ]
    Introduction to Managed Services
    What is Managed Services? [ 5 ]
    What is MSP? [ 6 ]
    Customer & MSP Benefits [ 7 ]
    What Makes a MSP? [ 8 ]
    MSP Technology [ 9 ]
    Steps to Successful MSP [10]
    Introduction to Virtual Private Networks
    What is VPN? [13]
    Types of VPN [14]
    VPN Classifications [15]
    What Makes a VPN? [18]
    Delivering of Managed Services via VPN
    Why VPN? [20]
    Delivery Methodology [21]
    What type of VPN to use? [27]
    Case stories [31]
    Terminology [33]
    References used in creating this eHandbook
    References [39]
  • 3. From the World Wide Web:
    “Have you ever thought about how the agents of those RMM Systems are connected with the applications? It’s simple – VPN!”
    “We have a unique method by which we manage all our clients. It’s called VPN… I could not imagine doing business any other way…”
    “We inform our customers that we can create a remote monitoring via VPN (Virtual Private Network) to their systems and take care of them even in case we are located in different cities, countries.”
    “…it’s better to allow a trusted party into your environment, one who will be accountable for keeping all un-trusted parties out. Only through this type of structured arrangement can you be sure that your network is truly secure.”
    “VPN as the Key for a Successful MSP Business” is a Tactical eHandbook that reveals Virtual Private Networks as the tactics of a successful delivering of managed services and presupposes that you are an IT Services Provider whose strategy is delivering of managed services already. Please be aware that Virtual Private Networks are considered in the eHandbook as a way of delivering of managed services, but not as a service itself.
    Good Luck!
    Best Regards,
    Safar Safarov
    January 23, 2010
  • 4. CHAPTER 1
    Introduction to Managed Services
  • 5. Managed Services is the practice of transferring day-to-day related management responsibility as a strategic method for improved effective and efficient operations. The person or organization who owns or has direct oversight of the organization or system being managed is referred to as the offered, client, or customer. The person or organization that accepts and provides the managed service is regarded as the service provider.
    Typically, the offered remains accountable for the functionality and performance of managed service and does not relinquish the overall management responsibility of the organization or system.
    What is Managed Services?
  • 6. A Managed Services Provider (MSP), is typically an information technology (IT) services provider, who manages and assumes responsibility for providing a defined set of services to their clients either proactively or as they (not the client) determine that the services are needed. Most MSPs bill a flat or near-fixed monthly fee, which benefits their clients by providing them with predictable IT support costs.
    Many MSPs now provide many of their services remotely over the Internet rather than having to perform on-site client visits, which is time consuming and often expensive. Common services provided by MSPs include remote network, desktop and security monitoring, patch management and remote data back-up, as well as technical assistance.
    One major challenge that MSPs faced was in changing from the reactive break-fix model to which they were accustomed into the new proactive managed services model, particularly because this model represented a major shift in the industry. Many early adopters struggled to properly convey the benefits of managed services to their existing break-fix clients. Many continue to service break-fix clients even though it is in their best interest to make the shift to managed services only.
    What is MSP?
  • 7. Key customer benefits:
    • Customer peace of mind – monitor network on 24x7x365 basis proactively;
    • 8. Single point of contact for all network issues;
    • 9. Single supplier instead of multiple vendors;
    • 10. Defined Service Levels (for service delivery);
    • 11. Known costs for management & fixed price contracts;
    • 12. Avoid costs of building own management & reporting systems;
    • 13. Lower Total Cost Ownership (TCO) for client;
    Key Service Provider benefits:
    • Business contracts – extended longevity (in line with CPE life spans);
    • 14. Increased “stickiness” & ARPU (average revenue per user);
    • 15. Ability to interact with & influence customers at a business/application decision making level;
    • 16. Protect vital carriage revenue by de-commoditizing & value adding
    Customer & MSP Benefits
  • 17. IT solution providers who encounter problems moving their businesses to a managed services model tend to misinterpret the meaning of managed services and underestimate the level of commitment this transition requires and the impact it can have on the way they operate.
    Manages services are not just the simple act of monitoring customers’ IT systems remotely and reacting to problems when they occur. Truly successful managed services entail a series of proactive tasks which are performed on an ongoing basis to prevent many problems from ever materializing. These tasks range from systematic patch management updates to specific virus and other forms of security scans. They also include system reconfigurations based on utilization levels to avoid potential failures.
    To be done cost-effectively, these tasks cannot be done manually. Instead, a MSP must implement software which enables them to perform these tasks in an automated fashion every day to keep customers’ systems up and running.
    Managed Services represent a fundamental change in the way IT solution providers approach the market and interact with their customers. Rather than depend on traditional, product-centric, project-oriented planning, installation of break-fix work, managed services require IT solution providers to take a more holistic view. They must be willing to assume an performance of their customers’ IT operations. This demands that IT solution providers have the right management tools and skills to continuously monitor and quickly resolve issues before they impact the customers’ business. It also requires that the MSP have planning and design skills to help customers make more significant modifications to their IT operations when necessary.
    What Makes a MSP?
  • 18. “Before buying the platform, we had to wait for a phone call from the client when something went wrong,“ – says Ethan Simmons (NetTeks Technology Consultants). “Once we added the remote monitoring and management platform, it gave us better insight into what the client was doing, allowing us to be proactive and to better guarantee uptime."
    Some MSPs invest in customer relationship management (CRM) software to give managed services teams an integrated view of the customer, while others rely on the built-in capabilities of the monitoring and management platform. “Operational efficiency requires seamless integration, from the service desk to the help desk, ticketing, billing and reporting,“ – says Michael Drake (masterIT). “We recommend a system that is client-centric with one database – all notes, tickets and reports can be found in the client record.”
    The software’s documentation and reporting capabilities help demonstrate the value that managed services deliver. “We joke all the time: When was the last time you heard a client say, ‘Gee, thanks for not coming here?’,” Drake says. “You have to be very intentional in terms of demonstrating value to the client.”
    Regular client meetings address this – “wellness visits,” – Drake calls them – where MSPs share detailed management reports and logs with clients to document disasters averted and problems solved. Connecting these to the business costs of downtime helps clients understand the value of proactive services.
    Such meetings can present sales opportunities. “If a server went down, and we brought it up within eight hours, we might say, ‘Next time our goal is to do it in two hours, but to do that we need to buy this software’,” says Arun Patel (Micro Symplex). Clients who are shown the business implications of the operational reports often agree to major IT upgrades and enhancements.
    MSP Technology
  • 19.
    • Because delivering effective and profitable manages services is a fundamentally different way of doing business and relating to customers, managed services should not be viewed as another “product add-on” but must be recognized as a strategic change in a company’s business.
    • 20. A managed service is more than just monitoring a customer’s operations remotely and reacting to problems as they arise.
    • 21. Managed services require support staff to assume greater responsibility for the universal availability and optimal performance of their customers’ IT operations.
    • 22. Support staff must ne proactive and focus on preventing problems rather than measuring their effectiveness by how quickly hey respond and resolve problems after they occur.
    • 23. The more management responsibility a provider is willing to assume, the easier it is to sell their managed services because a full suite of services eliminates any ambiguity about the customer and provider’s mutual roles.
    • 24. Rather than build their own or acquire a costly platform which requires substantial upfront investment, providers should leverage tools that automate as many of the management tasks as possible and are scalable to expand with the growth in the customer base.
    Steps to Successful MSP
  • 25.
    • Remote managed services should not entirely replace face-to-face interaction with customers.
    • 26. Customers may not fully appreciate the benefits they gain from managed services unless the provider systematically measures and regularly reports operational improvements.
    • 27. Managed services should enable providers to change the nature of the sales “conversation” with customers from tactical, technical or billing issues to bigger, business and strategic topics.
    • 28. The support and sales staff must be trained to become customer “relationship” managers rather technology or transaction-oriented.
    • 29. Managed services provide a competitive advantage by giving the provider the first opportunity to uncover additional customer needs.
    Steps to Successful MSP
  • 30. CHAPTER 2
    Introduction to
    Virtual Private Networks
  • 31. A virtual private network (VPN) is a computer network that is implemented in an additional logical layer (overlay) on top of an existing larger network. It has the purpose of creating a private scope of computer communications or providing a secure extension of a private network into an insecure network such as the Internet.
    The links between nodes of a virtual private network are formed over logical connections or virtual circuits between hosts of the larger network. The Link Layer protocols of the virtual network are said to be tunneled through the underlying transport network.
    One common application is to secure communications through the public Internet, but a VPN does not need to have explicit security features such as authentication or traffic encryption. For example, VPNs can also be used to separate the traffic of different user communities over an underlying network with strong security features, or to provide access to a network via customized or private routing mechanisms.
    VPNs are often installed by organizations to provide remote access to a secure organizational network. Generally, a VPN has a network topology more complex than a point-to-point connection. VPNs are also used to mask the IP address of individual computers within the Internet in order, for instance, to surf the World Wide Web anonymously or to access location restricted services, such as Internet television.
    What is VPN?
  • 32. Remote Access (RAS) VPN – Under this application only a single VPN gateway is involved. The other party involved in negotiating the secure communication channel with the VPN Gateway is a PC or laptops that is connected to the Internet and running VPN Client software. The VPN Client allows telecommuters and traveling users to communicate on the central network and access servers from many different locations.
    Benefit: Significant cost savings by reducing the burden of long distance charges associated with dial-up access. Also helps increase productivity and peace of mind by ensuring secure network access regardless of where an employee physically is.
    Site-to-Site Intranet VPN – With Intranet VPN, gateways at various physical locations within the same business negotiate a secure communication channel across the Internet known as a VPN tunnel. An example would be a network that exists in several buildings connected to a data center or mainframe that has secure access through private lines. Users from the networks on either side of the tunnel can communicate with one another as if it were a single network. These may need strong encryption and strict performance and bandwidth requirements.
    Benefit: Substantial cost savings over traditional leased-line or frame relay technologies through the use of Internet to bridge potentially long distances between sites.
    Site-to-Site Extranet VPN – Almost identical to Intranets, except they are meant for external business partners. As such, firewall access restrictions are used in conjunction with VPN tunnels, so that business partners are only able to gain secure access to specific data / resources, while not gaining access to private corporate information.
    Benefit: Businesses enjoy the same policies as a private network, including security, QoS, manageability, and reliability.
    Types of VPN
  • 33. VPN technologies may be classified by many standards. Two broad categories are secure VPNs and trusted VPNs. Some other types of VPN may not fit neatly within these two categories. For example, an end-user managed GRE tunnel may not necessarily use encryption to protect the tunnel contents. L2TP can also be used to tunnel traffic from a network access server to another location without enforcing encryption.
    Secure VPNs explicitly provide mechanisms for authentication of the tunnel endpoints during tunnel setup, and encryption of the traffic in transit. Often secure VPNs are used to protect traffic when using the Internet as the underlying backbone, but equally they may be used in any environment when the security level of the underlying network differs from the traffic within the VPN. Secure VPNs may be implemented by organizations wishing to provide remote access facilities to their employees or by organizations wishing to connect multiple networks together securely using the Internet to carry the traffic. A common use for secure VPNs is in remote access scenarios, where VPN client software on an end user system is used to connect to a remote office network securely. Secure VPN protocols include IPSec, SSL or PPTP (with MPPE).
    Trusted VPNs are commonly created by carriers and large organizations and are used for traffic segmentation on large core networks. They often provide quality of service guarantees and other carrier-grade features. Trusted VPNs may be implemented by network carriers wishing to multiplex multiple customer connections transparently over an existing core network or by large organizations wishing to segregate traffic flows from each other in the network. Trusted VPN protocols include MPLS, ATM or Frame Relay. Trusted VPNs differ from secure VPNs in that they do not provide security features such as data confidentiality through encryption. Secure VPNs however do not offer the level of control of the data flows that a trusted VPN can provide such as bandwidth guarantees or routing.
    VPN classifications
  • 34. Secure VPNs use cryptographic tunneling protocols to provide the intended confidentiality (blocking intercept and thus packet sniffing), sender authentication (blocking identity spoofing), and message integrity (blocking message alteration) to achieve privacy. Tunnel endpoints are required to authenticate themselves before secure VPN tunnels can be established. End user created tunnels, such as remote access VPNs may use passwords, biometrics, two-factor authentication or other cryptographic methods. For network-to-network tunnels, passwords or digital certificates are often used, as the key must be permanently stored and not require manual intervention for the tunnel to be established automatically.
    Secure VPN protocols include the following:
    IPSec (Internet Protocol Security) – A standards-based security protocol developed originally for IPv6, where support is mandatory, but also widely used with IPv4.
    Transport Layer Security (SSL/TLS) is used either for tunneling an entire network’s traffic (SSL VPN) or for securing individual connection. SSL has been the foundation by a number of vendors to provide remote access VPN capabilities. A practical advantage of an SSL VPN is that it can be accessed from locations that restrict external access to SSL-based e-commerce websites without IPSec implementations.
    DTLS, used by Cisco for a next generation VPN product called Cisco AnyConnect VPN. DTLS solves the issues found when tunneling TCP over TCP as is the case with SSL/TLS
    Secure Socket Tunneling Protocol (SSTP) by Microsoft introduced in Windows Server 2008 and Windows Vista Service Pack 1. SSTP tunnels Point-to-Point Protocol (PPP) or L2TP traffic through an SSL 3.0 channel.
    MPVPN (Multi Path Virtual Private Network). Ragula Systems Development Company owns the registered trademark "MPVPN".
    SSH VPN – OpenSSH offers VPN tunneling to secure remote connections to a network (or inter-network links). OpenSSH server provides limited number of concurrent tunnels and the VPN feature itself does not support personal authentication.
    VPN classifications: Secure VPNs
  • 35. Trusted VPNs do not use cryptographic tunneling, and instead rely on the security of a single provider’s network to protect the traffic.
    Secure VPN protocols include the following:
    Multi-Protocol Label Switching (MPLS) is often used to overlay VPNs, often with quality-of-service control over a trusted delivery network.
    Layer 2 Tunneling Protocol (L2TP) which is a standards-based replacement, and a compromise taking the good features from each, for two proprietary VPN protocols: Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP).
    From the security standpoint, VPNs either trust the underlying delivery network, or must enforce security with mechanisms in the VPN itself. Unless the trusted delivery network runs only among physically secure sites, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.
    VPN classifications: Trusted VPNs
  • 36. A well-designed VPN can greatly benefit a company. Thus, it can:
    • Extend geographic connectivity;
    • 37. Improve security;
    • 38. Reduce operational costs versus traditional WAN
    • 39. Reduce transit time and transportation costs for remote users
    • 40. Improve productivity;
    • 41. Simplify network topology;
    • 42. Provide global networking opportunities;
    • 43. Provide telecommuter support;
    • 44. Provide broadband networking compatibility;
    • 45. Provide faster ROI (return on investment) than traditional WAN.
    What features are needed in a well-designed VPN? It should incorporate:
    What Makes a VPN?
  • 50. CHAPTER 3
    Delivering of Managed Services via VPN (Virtual Private Network)
  • 51. Advantages of VPN:
    • Centralized Management;
    • 52. Centralized Monitoring;
    • 53. Simplified Management;
    • 54. Improved of security;
    • 55. Delivering of services worldwide;
    • 56. Early problem detection;
    • 57. Faster problem analysis;
    • 58. Efficient repair;
    • 59. Decrease cost.
    Disadvantages of VPN:
    • VPNs require an in-depth understanding of public network security issues and proper deployment of precautions;
    • 60. The availability and performance of an organization’s wide-area VPN (over the Internet in particular) depends on factors largely outside of their control;
    • 61. VPN technologies from different vendors may not work well together due to immature standards;
    • 62. VPNs need to accommodate protocols other than IP and existing (“legacy”) internal network technology.
    Why VPN?
  • 63. Despite the variety of possible topologies to create a Virtual Private Network, I will consider only two basic scenarios.
    Scenario 1: One-way Virtual Private Network [as shown on Page 22].
    Every client’s network connects to MSP’s network via one-way VPN. One‐way routing on MSP’s network ensures that customers’ computers as well as other network equipment cannot see or communicate with each other through MSP’s network. Furthermore it ensures that customer’s computers as well as other network equipment cannot see MSP’s network itself.
    This scenario is perfect if you will use only Windows Management Interface (WMI) and/or Simple Network Management Protocol (SNMP) as well as Remote Administration utilities (like VNC or RAdmin) to monitor/manage client’s computers & other network equipment.
    Scenario 2: Virtual Private Network with DMZ (Demilitarized Zone) [as shown on Page 23].
    Every client’s network connects to MSP’s network via VPN. Customers’ computers as well as other network equipment cannot see or communicate with each other through MSP’s network. Furthermore customers’ computers as well as other network equipment can see only servers and/or other network equipment placed in DMZ of MSP’s network and cannot see MSP’s network itself.
    This scenario is perfect if you will use not only WMI/SNMP and Remote Administration utilities, but other solutions like Centralized Antivirus Update and Alerting or Windows Server Update Services.
    Delivery Methodology
  • 64. 22
    Delivery Methodology
    Scenario 1: One-way Virtual Private Network
  • 65. 23
    Delivery Methodology
    Scenario 2: Virtual Private Network with DMZ
  • 66. To optimize traffic load and to avoid confusion I recommend to use one VPN product per one backbone network at MSP’s office. Also, I recommend to use hardware VPN as a VPN product. If VPN tunneling and encryption tasks are carried out in software, it takes CPU cycles from other processes. This can become an issue. In contrast, a VPN appliance is built to handle all VPN tasks without putting an additional burden on any of your existing networking equipment.
    I will not describe how to create a VPN, because the procedure for creating a VPN for any product of any vendor may vary, even if it has similarities. Thus, my recommendation is to follow the instructions described in the manual of a particular product. Along with the choice of VPNs topology, you should think about creating your standard of domain names, hosts/nodes names, designation of IP addresses to provide it to your clients then. This is a very important task, which will safe you from headache and confusion as well as from failures of configurations in the future.
    Backbone networks.
    A backbone network or network backbone is a part of computer network infrastructure that interconnects various pieces of network, providing a path for the exchange of information between different LANs or subnetworks. A backbone can tie together diverse networks in the same building, in different buildings in a campus environment, or over wide areas. Normally, the backbone's capacity is greater than the networks connected to it.
    In our case, I consider a backbone network as the highest point in the hierarchy of Virtual Private Networks, which connect MSP’s office with clients’ offices. So, in my model the first octet of an IP Address is used to indicate the backbone network, two last digits of the second octet with three digits of the third octet are used to indicate a Client ID number and forth octet is used for designation of unique IP Addresses to network devices. Thus, one backbone network can contain up to 25550 networks.
    Delivery Methodology
  • 67. Standards of Windows domain, host/node names; computer description; designation of IP addresses [as shown on Page 26].
    Let’s take network as a network assigned for a client & reserve 10 networks per a client just in case if the client has or may has more than one facility – one network per one facility. Let’s say that the first octet of network indicates our backbone network; two last digits of the second octet with three digits of the third octet indicate a Client ID and the forth octet indicates hosts/nodes in the client’s network. Thus our backbone network can contain up to 25500 networks and indicates 2550 clients as we reserved 10 networks per a client (for example, network will be assigned for a client with the Client ID 73251).
    Let’s take W00000AA as a computer (host) name and N00000AA as a Wireless Access Point (node) name for a client’s network. First letter of a device name indicates particular device (Workstation, Network device, etc.), next 5 digits indicate a Client ID and last 2 letters are used to assign a unique name to a device, furthermore both or one of the last 2 letters can indicate a role of a server or a network device. Keep in mind, that device name should contain no more than eight alphanumeric symbols (applies to computers, basically) and shouldn’t be started with digits or A-F letters (for example, if a client with the Client ID 73251 has a server, which role is DC; two network printers; a wireless access point and a laptop in its network, device names can be S73251DC, P73251NA, P73251NB, N73251WA, L73251AA respectively).
    Let’s take client.local as a windows domain name for a client. Domain suffix “local” is used as a standard suffix for internal domains as it’s non-routable and intended to avoid DNS issues and to improve security of a domain. So, if our client is FIC with the Client ID 73251 and has a server in its network, FQDN for the server will be S73251AA.FIC.LOCAL.
    To avoid confusion of customers’ computers it’s recommended to show a customer’s information in the customer’s computer description as well as name of a department that he/she works for.
    Delivery Methodology
  • 68. 26
    Delivery Methodology
    Standards of Windows domain, hosts/nodes names;
    computer description; designation of IP addresses
  • 69. One of the most common questions is what type of VPN a MSP should deploy. So, let’s go through some of the most basic considerations when choosing a VPN protocol – should it be IPsec, MPLS layer-3, MPLS layer-2, L2TPv3-based, or another technology?
    Some of the first questions that you will want to ask yourself when you are choosing a Site-to-Site VPN Technology or protocol include:
    Is cost is a primary concern?
    Is encryption and authentication required for your traffic?
    Is “native” multiprotocol transport or layer-2 connectivity important?
    Are you a service provider wishing to consolidate legacy and IP/MPLS network infrastructures?
    Is any-to-any (layer 3) connectivity required between sites?
    Is end-to-end quality of service (QoS) required?
    Is full control of routing between customer edge routers is required?
    Is simplified WAN routing desirable?
    Are additional managed services such as firewalled internet access/voice services required/desirable?
    Do you need to transport multicast traffic over your VPN?
    There are many other questions that you must ask yourself, but in order to keep this brief enough I’ll just stick with discussing the above.
    What type of VPN to use?
  • 70. Is cost is a primary concern?
    Cost is almost always important, but if it is a primary concern then an Internet-based IPSec VPN is often a good choice. Internet connectivity is relatively cheap, but because the Internet is insecure you’ll need IPSec to protect your traffic.
    Is encryption and authentication required for your traffic?
    If you need authentication and encryption for your site-to-site VPN traffic then IPSec is the way go. An IPSec VPN could be a standard IPSec VPN; it could be based on Cisco’s Dynamic Multipoint VPN (DMVPN) technology; or it could even be an MPLS or L2TP-based VPN with traffic protected using IPSec. But whatever the specific form of site-to-site VPN, you’re going to need IPSec if you require authentication and encryption.
    Is “native” multiprotocol transport or layer-2 connectivity important?
    The next question is whether “native” multiprotocol transport or layer-2 connectivity is important. If it is then a layer-2 VPN type such as a Virtual Private LAN Service (VPLS) or Virtual Private Wire Service (VPWS) based VPN may be a good option. It’s also possible to transport multiprotocol traffic over MPLS layer-3 and IPSec VPNs using GRE tunnels.
    Are you a service provider wishing to consolidate legacy and IP/MPLS network infrastructures?
    If you are a service provider looking to consolidate legacy infrastructure such as ATM/Frame Relay networks with your IP/MPLS infrastructure, as well as deploy newer services such as Ethernet over MPLS/L2TPv3 (EoMPLS/EoL2TPv3), then layer-2 VPNs may very well be the answer. This is because both MPLS and L2TPv3 pseudo wires (emulated circuits) can carry layer-2 traffic such as Ethernet, Frame Relay, ATM, HDLC, PPP, and even X.25.
    What type of VPN to use?
  • 71. Is any-to-any (layer 3) connectivity required between sites?
    Any-to-any WAN connectivity can be advantageous for applications and traffic types such as voice and interactive video. If you would like any-to-any connectivity between sites then MPLS layer-3 VPNs or multipoint-to-multipoint layer-2 VPNs (VPLS) are good options. Other technologies such as DMVPN can also provide this type of connectivity.
    Is end-to-end quality of service (QoS) required?
    QoS can often be important to ensure that traffic and applications performance requirements in terms of latency, jitter (variable delay), and packet loss are met. QoS is especially important for traffic types such as voice. While QoS can be supported in a variety of VPN deployments, end-to-end QoS guarantees for specific applications and traffic types are commonly available with MPLS layer-3 VPNs.
    Is full control of routing between customer edge (CE) routers is required?
    If you absolutely need full control of routing between your sites then IPSec and MPLS/L2TPv3-based layer-2 VPNs are all possibilities. MPLS Layer-3 (RFC 2547bis/RFC 4364) VPNs are not an option if full control of routing is important because service provider edge (PE) routers will be involved in your routing, and you will therefore have some loss of control. This loss of control is often considered insignificant when compared to the advantages of deploying MPLS layer-3 VPNs, but it’s worth noting.
    What type of VPN to use?
  • 72. Is simplified WAN routing desirable?
    Configuring WAN routing when there is any-to-any connectivity and routing adjacencies between (many) sites can be challenging. One way around this is, of course, to deploy a hub-and-spoke topology, but then advantages of any-to-any connectivity are lost. MPLS Layer-3 VPNs can provide any-to-any connectivity as well as providing simplified WAN routing. This is because, while IP traffic is forwarded over label-switched paths (LSPs) directly between sites over the service provider backbone network, customer edge (CE) routers peer only with their directly connected provider edge (PE) routers rather than with each other.
    Are additional managed services such as firewalled internet access/voice services required/desirable?
    Service providers can offer a variety of managed services to their customers such as firewalled Internet access and voice services. These managed services are most easily provided and most often available via MPLS Layer-3 VPNs.
    Do you need to transport multicast traffic over your VPN?
    MPLS layer-3 and IPSec VPNs do not natively support multicast. If you need to transport multicast traffic in an MPLS layer-3 VPN then you’ll need GRE tunnels or support for multicast VPNs (MVPNs). If you need to transport multicast over an IPSec VPN then you’ll need to use technologies such as GRE tunnels or Virtual Tunnel Interfaces (VTIs).
    What type of VPN to use?
  • 73. Panurgy was founded in 1984 with the goal of creating a company that would specialize in meeting the needs of small and mid size companies who needed quality network services but didn’t have the full IT departments and IT budgets to do it themselves. Since that time, Panurgy has assisted companies in maximizing their technology functionality and predictability while freeing their IT staff from the complexity of managing their systems and networks in order to focus on their core business. Our full range of professional services includes: assessment, design, implementation, management and the security of data and voice network infrastructures.
    Founded in 1994 as Net Advantage, then First Chair Technologies, Adivi Corporation was originally a custom network services firm. When the Internet exploded and opened up a whole new range of possibilities for business, Adivi responded with renewed focus on making the world of technology a better place by sharing our expertise in developing interactive solutions. Adivi has helped Fortune 500 and startup companies alike successfully navigate the forbidding landscape of interactive technology, design, implementation and maintenance of critical business solutions.
    Vorspohl Automation GmbH was founded in 2001. Their scope and service include Computer control device for complex industrial units; Server systems; IT Service; Software solution for goods resources; Installation control service of electric devices; Start-up of process application; Service and storage for process data; Location network connection via VPN, Exchange and CRM, Microsoft Certified Partner, Database as Oracle, Microsoft SQL 2000/2005, Exchange 2003/2007; Visualized process automation in national language of the operator.
    Case stories
  • 74. Glossary
  • 75. ATM [34]
    DMZ [34]
    DTLS [34]
    Frame Relay [34]
    GRE [35]
    HDLC [35]
    IPSec [35]
    L2TP [36]
    MPLS [36]
    MPPE [36]
    PPP [36]
    PPTP [37]
    QoS [37]
    SSH [37]
    SSL/TLS [37]
    SSTP [37]
  • 76. ATM (Asynchronous Transfer Mode) is a standardized digital data transmission technology. ATM is implemented as a network protocol and was first developed in the mid 1980s. The goal was to design a single networking strategy that could transport real-time video conference and audio as well as image files, text and email.
    In computer security, a DMZ(Demilitarized Zone) is a physical or logical subnetwork that contains and exposes an organization’s external services to a larger untrusted network, usually the Internet. The term is normally referred to as a DMZ by IT professionals. It is sometimes referred to as a Perimeter Network. The purpose of a DMZ is to add an additional layer of security to an organization’s Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.
    In information technology, DTLS (Datagram Transport Layer Security) protocol provides communications privacy for datagram protocols. DTLS allows datagram-based applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented TLS protocol and is intended to provide similar security guarantees. The datagram semantics of the underlying transport are preserved by the DTLS protocol – the application will not suffer from the delays associated with stream protocols, but will have to deal with packet reordering, loss of datagram and data larger than a datagram packet size.
    In the context of computer networking, Frame Relay consists of an efficient data transmission technique used to send digital information. It is a message forwarding "relay race" like system in which data packets, called frames, are passed from one or many start-points to one or many destinations via a series of intermediate node points.
  • 77. GRE (Generic Routing Encapsulation) tunnels are designed to be completely stateless. This means that each tunnel end-point does not keep any information about the state or availability of the remote tunnel end-point. A consequence of this is that the local tunnel end-point router does not have the ability to bring the line protocol of the GRE tunnel interface down if the remote end-point is unreachable. The ability to mark an interface as down when the remote end of the link is not available is used in order to remove any routes (specifically static routes) in the routing table that use that interface as the outbound interface. Specifically, if the line protocol for an interface is changed to down, then any static routes that point out that interface are removed from the routing table. This allows for the installation of an alternate (floating) static route or for policy-based routing (PBR) to select an alternate next-hop or interface.
    HDLC (High-Level Data Link Control) is a bit-oriented synchronous data link layer protocol developed by the International Organization for Standardization (ISO).
    IPSec (Internet Protocol Security) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPSec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPSec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host. IPSec is a dual mode, end-to-end, security scheme operating at the Internet Layer of the Internet Protocol Suite or OSI model Layer 3. Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of these models. Hence, IPSec can be used for protecting any application traffic across the Internet. Applications need not be specifically designed to use IPSec. The use of TLS/SSL, on the other hand, must typically be incorporated into the design of applications.
  • 78. In computer networking, L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy.
    MPLS (Multiprotocol Label Switching) is a mechanism in high-performance telecommunications networks which directs and carries data from one network node to the next. MPLS makes it easy to create “virtual links” between distant nodes. It can encapsulate packets of various network protocols. MPLS is a highly scalable, protocol agnostic, data-carrying mechanism. In an MPLS network, data packets are assigned labels. Packet-forwarding decisions are made solely on the contents of this label, without the need to examine the packet itself. This allows one to create end-to-end circuits across any type of transport medium, using any protocol. MPLS operates at an OSI Model layer that is generally considered to lie between traditional definitions of Layer 2 (Data Link Layer) and Layer 3 (Network Layer), and thus is often referred to as a “Layer 2.5” protocol. It was designed to provide a unified data-carrying service for both circuit-based clients and packet-switching clients which provide a datagram service model. It can be used to carry many different kinds of traffic.
    MPPE (Microsoft Point-to-Point Encryption) is a protocol for encrypting data across Point-to-Point Protocol (PPP) and Virtual Private Network links. It uses the RSA RC4 encryption algorithm. MPPE supports 40-bit, 56-bit and 128-bit session keys, which are changed frequently to improve security. The exact frequency that the keys are changed is negotiated, but may be as frequent as every packet.
    In computer networking, PPP (Point-to-Point Protocol) is a data link protocol commonly used to establish a direct connection between two networking nodes. It can provide connection authentication, transmission encryption privacy, and compression.
  • 79. PPTP (Point-to-Point Tunneling Protocol) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. The PPTP specification does not describe encryption or authentication features and relies on the PPP protocol being tunneled to implement security functionality. However the most common PPTP implementation, shipping with the Microsoft Windows product families, implements various levels of authentication and encryption natively as standard features of the Windows PPTP stack. The intended use of this protocol is to provide similar levels of security and remote access as typical VPN products.
    In the field of computer networking and other packet-switched telecommunication networks, the traffic engineering term QoS (Quality of Service) refers to resource reservation control mechanisms rather than the achieved service quality. Quality of service is the ability to provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow.
    SSH (Secure Shell) is a network protocol that allows data to be exchanged using a secure channel between two networked devices.
    TLS (Transport Layer Security) and its predecessor, SSL (Secure Sockets Layer), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end.
    SSTP (Secure Socket Tunneling Protocol) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers.
  • 80. References
    References used in creating this eHandbook
  • 81.
    • Cisco Systems Inc. – “How Virtual Private Networks Work” ;
    • 82. Don Libes – “Choosing a Name for your Computer” (RFC 1178);
    • 83. JANET UK – “Different Flavours of VPN: Technology and Applications”;
    • 84. Mark Lewis – “Which Site-to-Site VPN: 10 Important Questions”;
    • 85. Panurgy IBS – “The Benefits of Managed Services”;
    • 86. Randy Weaver, Dawn Weaver – “Guide to Tactical Perimeter Defense”;
    • 87. THINKstrategies – “Steps to Success for Making the Switch to Managed Services”;
    • 88. Tom Farre – “Best Practices in Managed Services”;
    • 89. VPNC Consortium – “VPN Technologies: Definitions and Requirements”;
    • 90. VPN-Info – “Different Types of VPN”;
    • 91. Wikipedia, the free encyclopedia.
  • 92. Copyright © 2010, Safar Safarov. All trademarks, pictures, logos are copyrighted by their owners. No part of this document or the related files may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording, or otherwise) without reference.
    Contact email:
    by Safar Safarov