“VPN as the Key for a Successful MSP Business” is a Tactical eHandbook that reveals Virtual Private Networks as the tactics of a successful delivering of managed services and presupposes that you are an IT Services Provider whose strategy is delivering of managed services already. Please be aware that Virtual Private Networks are considered in the eHandbook as a way of delivering of managed services, but not as a service itself.
A virtual private network gives secure access to LAN resources over a shared network infrastructure such as the internet. It can be conceptualized as creating a tunnel from one location to another, with Encrypted data traveling through the tunnel before being decrypted at its destination.
Virtual private network feature and benefitsAnthony Daniel
Cyberoam VPN offers the option of IPSec VPN, SSL VPN, LT2P, PPTP on the UTM appliances, providing secure remote access to organizations. It replaces most other best-of-breed firewall-VPN appliances to offer cost-effective security to organizations.
A managed service provider (MSP) is a type of IT service company that provides server, network, and specialized applications to end users and organizations. These applications are hosted and managed by the service provider.
A virtual private network gives secure access to LAN resources over a shared network infrastructure such as the internet. It can be conceptualized as creating a tunnel from one location to another, with Encrypted data traveling through the tunnel before being decrypted at its destination.
Virtual private network feature and benefitsAnthony Daniel
Cyberoam VPN offers the option of IPSec VPN, SSL VPN, LT2P, PPTP on the UTM appliances, providing secure remote access to organizations. It replaces most other best-of-breed firewall-VPN appliances to offer cost-effective security to organizations.
A managed service provider (MSP) is a type of IT service company that provides server, network, and specialized applications to end users and organizations. These applications are hosted and managed by the service provider.
The Power and Promise of SaaS: CA Cloud Service Management Case StudyCA Technologies
As we move to the application economy, companies are increasingly reviewing their portfolio of solutions to help ensure that they are deriving the promised efficiencies and value.
This presentation provides an informative look at how one company is leveraging cloud-based solutions to improve the overall effectiveness of their IT service management operations.
For more information on Management Cloud solutions from CA Technologies, please visit: http://bit.ly/1wEnPhz
12 Factors To Be Considered before Choosing A Loan Management SystemAKEZIASANJANA
Loan processing carried out in quick time provides competitive advantages to NBFCs and MFIs and better utilization of time for the applicants. Hence, there is a pressing need to have a technology that is time-saving for the institutions and convenient for potential borrowers. Many times, the NBFCs have to deal with process delays due to the manual loan processing system, which in some cases, results in losing their prospective customers altogether.
In order to avoid this, most non-banking financial institutions and MFIs are going the way of an automated loan processing system, which in a way, helps both the customers and the institutions. By cutting down on paperwork and manual process needed during the loan application processing period, a loan management system seeks to add immense business value to the MFI and elevate the overall customer experience the applicant receives.
Companies typically find the demands of application management overly complex. As a result, more and more companies are turning to outsourcing application management functions. The fundamental value proposition offers service improvement and cost reduction from sharing the outsourcing provider’s technical resources.
No “one size fits all” managed services solution will ever be ideal for every business. When evaluating prospective providers, consider important services such as monitoring, reporting, backup, remote management and security. Also consider key provider qualifications including location, third-party certifications, customer references, in-house staffing resources and contract items. After outsourcing, you should see immediate results in cost controls and service delivery.
Digital Transformation Requires a "Subscriber-First" ApproachBrian Metzger
Communications service providers (CSPs) are under intense competitive pressure to increase revenues and strengthen subscriber loyalty in markets around the globe. In order to thrive in this environment where over-the-top (OTT) players and other providers have utilized CSP networks to deliver innovative services, CSPs are now primed and ready to undergo digital transformation and develop new digital products and services that enhance the digital lifestyle of their subscribers.
Extensible DNS-based platforms and subscriber-centric applications are key enablers of digital transformation. They offer a more complete view of the customer and provide greater service agility to put subscribers in control of their own digital experiences. Once considered to simply be the “phone book” of the internet, the domain name system (DNS) has moved beyond the realm of passive internet look-up functionality and is now at the heart of digital transformation.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
2. Foreword [ 3 ] CHAPTER 1 Introduction to Managed Services What is Managed Services? [ 5 ] What is MSP? [ 6 ] Customer & MSP Benefits [ 7 ] What Makes a MSP? [ 8 ] MSP Technology [ 9 ] Steps to Successful MSP [10] CHAPTER 2 Introduction to Virtual Private Networks What is VPN? [13] Types of VPN [14] VPN Classifications [15] What Makes a VPN? [18] CHAPTER 3 Delivering of Managed Services via VPN Why VPN? [20] Delivery Methodology [21] What type of VPN to use? [27] Case stories [31] GLOSSARY Terminology Terminology [33] REFERENCES References used in creating this eHandbook References [39] 2 Contents
3. From the World Wide Web: “Have you ever thought about how the agents of those RMM Systems are connected with the applications? It’s simple – VPN!” “We have a unique method by which we manage all our clients. It’s called VPN… I could not imagine doing business any other way…” “We inform our customers that we can create a remote monitoring via VPN (Virtual Private Network) to their systems and take care of them even in case we are located in different cities, countries.” “…it’s better to allow a trusted party into your environment, one who will be accountable for keeping all un-trusted parties out. Only through this type of structured arrangement can you be sure that your network is truly secure.” “VPN as the Key for a Successful MSP Business” is a Tactical eHandbook that reveals Virtual Private Networks as the tactics of a successful delivering of managed services and presupposes that you are an IT Services Provider whose strategy is delivering of managed services already. Please be aware that Virtual Private Networks are considered in the eHandbook as a way of delivering of managed services, but not as a service itself. Good Luck! Best Regards, Safar Safarov January 23, 2010 3 Foreword
5. Managed Services is the practice of transferring day-to-day related management responsibility as a strategic method for improved effective and efficient operations. The person or organization who owns or has direct oversight of the organization or system being managed is referred to as the offered, client, or customer. The person or organization that accepts and provides the managed service is regarded as the service provider. Typically, the offered remains accountable for the functionality and performance of managed service and does not relinquish the overall management responsibility of the organization or system. 5 What is Managed Services?
6. A Managed Services Provider (MSP), is typically an information technology (IT) services provider, who manages and assumes responsibility for providing a defined set of services to their clients either proactively or as they (not the client) determine that the services are needed. Most MSPs bill a flat or near-fixed monthly fee, which benefits their clients by providing them with predictable IT support costs. Many MSPs now provide many of their services remotely over the Internet rather than having to perform on-site client visits, which is time consuming and often expensive. Common services provided by MSPs include remote network, desktop and security monitoring, patch management and remote data back-up, as well as technical assistance. One major challenge that MSPs faced was in changing from the reactive break-fix model to which they were accustomed into the new proactive managed services model, particularly because this model represented a major shift in the industry. Many early adopters struggled to properly convey the benefits of managed services to their existing break-fix clients. Many continue to service break-fix clients even though it is in their best interest to make the shift to managed services only. 6 What is MSP?
15. Ability to interact with & influence customers at a business/application decision making level;
16. Protect vital carriage revenue by de-commoditizing & value adding7 Customer & MSP Benefits
17. IT solution providers who encounter problems moving their businesses to a managed services model tend to misinterpret the meaning of managed services and underestimate the level of commitment this transition requires and the impact it can have on the way they operate. Manages services are not just the simple act of monitoring customers’ IT systems remotely and reacting to problems when they occur. Truly successful managed services entail a series of proactive tasks which are performed on an ongoing basis to prevent many problems from ever materializing. These tasks range from systematic patch management updates to specific virus and other forms of security scans. They also include system reconfigurations based on utilization levels to avoid potential failures. To be done cost-effectively, these tasks cannot be done manually. Instead, a MSP must implement software which enables them to perform these tasks in an automated fashion every day to keep customers’ systems up and running. Managed Services represent a fundamental change in the way IT solution providers approach the market and interact with their customers. Rather than depend on traditional, product-centric, project-oriented planning, installation of break-fix work, managed services require IT solution providers to take a more holistic view. They must be willing to assume an performance of their customers’ IT operations. This demands that IT solution providers have the right management tools and skills to continuously monitor and quickly resolve issues before they impact the customers’ business. It also requires that the MSP have planning and design skills to help customers make more significant modifications to their IT operations when necessary. 8 What Makes a MSP?
18. “Before buying the platform, we had to wait for a phone call from the client when something went wrong,“ – says Ethan Simmons (NetTeks Technology Consultants). “Once we added the remote monitoring and management platform, it gave us better insight into what the client was doing, allowing us to be proactive and to better guarantee uptime." Some MSPs invest in customer relationship management (CRM) software to give managed services teams an integrated view of the customer, while others rely on the built-in capabilities of the monitoring and management platform. “Operational efficiency requires seamless integration, from the service desk to the help desk, ticketing, billing and reporting,“ – says Michael Drake (masterIT). “We recommend a system that is client-centric with one database – all notes, tickets and reports can be found in the client record.” The software’s documentation and reporting capabilities help demonstrate the value that managed services deliver. “We joke all the time: When was the last time you heard a client say, ‘Gee, thanks for not coming here?’,” Drake says. “You have to be very intentional in terms of demonstrating value to the client.” Regular client meetings address this – “wellness visits,” – Drake calls them – where MSPs share detailed management reports and logs with clients to document disasters averted and problems solved. Connecting these to the business costs of downtime helps clients understand the value of proactive services. Such meetings can present sales opportunities. “If a server went down, and we brought it up within eight hours, we might say, ‘Next time our goal is to do it in two hours, but to do that we need to buy this software’,” says Arun Patel (Micro Symplex). Clients who are shown the business implications of the operational reports often agree to major IT upgrades and enhancements. 9 MSP Technology
19.
20. A managed service is more than just monitoring a customer’s operations remotely and reacting to problems as they arise.
21. Managed services require support staff to assume greater responsibility for the universal availability and optimal performance of their customers’ IT operations.
22. Support staff must ne proactive and focus on preventing problems rather than measuring their effectiveness by how quickly hey respond and resolve problems after they occur.
23. The more management responsibility a provider is willing to assume, the easier it is to sell their managed services because a full suite of services eliminates any ambiguity about the customer and provider’s mutual roles.
24. Rather than build their own or acquire a costly platform which requires substantial upfront investment, providers should leverage tools that automate as many of the management tasks as possible and are scalable to expand with the growth in the customer base.10 Steps to Successful MSP
25.
26. Customers may not fully appreciate the benefits they gain from managed services unless the provider systematically measures and regularly reports operational improvements.
27. Managed services should enable providers to change the nature of the sales “conversation” with customers from tactical, technical or billing issues to bigger, business and strategic topics.
28. The support and sales staff must be trained to become customer “relationship” managers rather technology or transaction-oriented.
29. Managed services provide a competitive advantage by giving the provider the first opportunity to uncover additional customer needs.11 Steps to Successful MSP [continuation]
31. A virtual private network (VPN) is a computer network that is implemented in an additional logical layer (overlay) on top of an existing larger network. It has the purpose of creating a private scope of computer communications or providing a secure extension of a private network into an insecure network such as the Internet. The links between nodes of a virtual private network are formed over logical connections or virtual circuits between hosts of the larger network. The Link Layer protocols of the virtual network are said to be tunneled through the underlying transport network. One common application is to secure communications through the public Internet, but a VPN does not need to have explicit security features such as authentication or traffic encryption. For example, VPNs can also be used to separate the traffic of different user communities over an underlying network with strong security features, or to provide access to a network via customized or private routing mechanisms. VPNs are often installed by organizations to provide remote access to a secure organizational network. Generally, a VPN has a network topology more complex than a point-to-point connection. VPNs are also used to mask the IP address of individual computers within the Internet in order, for instance, to surf the World Wide Web anonymously or to access location restricted services, such as Internet television. 13 What is VPN?
32. Remote Access (RAS) VPN – Under this application only a single VPN gateway is involved. The other party involved in negotiating the secure communication channel with the VPN Gateway is a PC or laptops that is connected to the Internet and running VPN Client software. The VPN Client allows telecommuters and traveling users to communicate on the central network and access servers from many different locations. Benefit: Significant cost savings by reducing the burden of long distance charges associated with dial-up access. Also helps increase productivity and peace of mind by ensuring secure network access regardless of where an employee physically is. Site-to-Site Intranet VPN – With Intranet VPN, gateways at various physical locations within the same business negotiate a secure communication channel across the Internet known as a VPN tunnel. An example would be a network that exists in several buildings connected to a data center or mainframe that has secure access through private lines. Users from the networks on either side of the tunnel can communicate with one another as if it were a single network. These may need strong encryption and strict performance and bandwidth requirements. Benefit: Substantial cost savings over traditional leased-line or frame relay technologies through the use of Internet to bridge potentially long distances between sites. Site-to-Site Extranet VPN – Almost identical to Intranets, except they are meant for external business partners. As such, firewall access restrictions are used in conjunction with VPN tunnels, so that business partners are only able to gain secure access to specific data / resources, while not gaining access to private corporate information. Benefit: Businesses enjoy the same policies as a private network, including security, QoS, manageability, and reliability. 14 Types of VPN
33. VPN technologies may be classified by many standards. Two broad categories are secure VPNs and trusted VPNs. Some other types of VPN may not fit neatly within these two categories. For example, an end-user managed GRE tunnel may not necessarily use encryption to protect the tunnel contents. L2TP can also be used to tunnel traffic from a network access server to another location without enforcing encryption. Secure VPNs explicitly provide mechanisms for authentication of the tunnel endpoints during tunnel setup, and encryption of the traffic in transit. Often secure VPNs are used to protect traffic when using the Internet as the underlying backbone, but equally they may be used in any environment when the security level of the underlying network differs from the traffic within the VPN. Secure VPNs may be implemented by organizations wishing to provide remote access facilities to their employees or by organizations wishing to connect multiple networks together securely using the Internet to carry the traffic. A common use for secure VPNs is in remote access scenarios, where VPN client software on an end user system is used to connect to a remote office network securely. Secure VPN protocols include IPSec, SSL or PPTP (with MPPE). Trusted VPNs are commonly created by carriers and large organizations and are used for traffic segmentation on large core networks. They often provide quality of service guarantees and other carrier-grade features. Trusted VPNs may be implemented by network carriers wishing to multiplex multiple customer connections transparently over an existing core network or by large organizations wishing to segregate traffic flows from each other in the network. Trusted VPN protocols include MPLS, ATM or Frame Relay. Trusted VPNs differ from secure VPNs in that they do not provide security features such as data confidentiality through encryption. Secure VPNs however do not offer the level of control of the data flows that a trusted VPN can provide such as bandwidth guarantees or routing. 15 VPN classifications
34. Secure VPNs use cryptographic tunneling protocols to provide the intended confidentiality (blocking intercept and thus packet sniffing), sender authentication (blocking identity spoofing), and message integrity (blocking message alteration) to achieve privacy. Tunnel endpoints are required to authenticate themselves before secure VPN tunnels can be established. End user created tunnels, such as remote access VPNs may use passwords, biometrics, two-factor authentication or other cryptographic methods. For network-to-network tunnels, passwords or digital certificates are often used, as the key must be permanently stored and not require manual intervention for the tunnel to be established automatically. Secure VPN protocols include the following: IPSec (Internet Protocol Security) – A standards-based security protocol developed originally for IPv6, where support is mandatory, but also widely used with IPv4. Transport Layer Security (SSL/TLS) is used either for tunneling an entire network’s traffic (SSL VPN) or for securing individual connection. SSL has been the foundation by a number of vendors to provide remote access VPN capabilities. A practical advantage of an SSL VPN is that it can be accessed from locations that restrict external access to SSL-based e-commerce websites without IPSec implementations. DTLS, used by Cisco for a next generation VPN product called Cisco AnyConnect VPN. DTLS solves the issues found when tunneling TCP over TCP as is the case with SSL/TLS Secure Socket Tunneling Protocol (SSTP) by Microsoft introduced in Windows Server 2008 and Windows Vista Service Pack 1. SSTP tunnels Point-to-Point Protocol (PPP) or L2TP traffic through an SSL 3.0 channel. MPVPN (Multi Path Virtual Private Network). Ragula Systems Development Company owns the registered trademark "MPVPN". SSH VPN – OpenSSH offers VPN tunneling to secure remote connections to a network (or inter-network links). OpenSSH server provides limited number of concurrent tunnels and the VPN feature itself does not support personal authentication. 16 VPN classifications: Secure VPNs
35. Trusted VPNs do not use cryptographic tunneling, and instead rely on the security of a single provider’s network to protect the traffic. Secure VPN protocols include the following: Multi-Protocol Label Switching (MPLS) is often used to overlay VPNs, often with quality-of-service control over a trusted delivery network. Layer 2 Tunneling Protocol (L2TP) which is a standards-based replacement, and a compromise taking the good features from each, for two proprietary VPN protocols: Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP). From the security standpoint, VPNs either trust the underlying delivery network, or must enforce security with mechanisms in the VPN itself. Unless the trusted delivery network runs only among physically secure sites, both trusted and secure models need an authentication mechanism for users to gain access to the VPN. 17 VPN classifications: Trusted VPNs
60. The availability and performance of an organization’s wide-area VPN (over the Internet in particular) depends on factors largely outside of their control;
61. VPN technologies from different vendors may not work well together due to immature standards;
62. VPNs need to accommodate protocols other than IP and existing (“legacy”) internal network technology.20 Why VPN?
63. Despite the variety of possible topologies to create a Virtual Private Network, I will consider only two basic scenarios. Scenario 1: One-way Virtual Private Network [as shown on Page 22]. Every client’s network connects to MSP’s network via one-way VPN. One‐way routing on MSP’s network ensures that customers’ computers as well as other network equipment cannot see or communicate with each other through MSP’s network. Furthermore it ensures that customer’s computers as well as other network equipment cannot see MSP’s network itself. This scenario is perfect if you will use only Windows Management Interface (WMI) and/or Simple Network Management Protocol (SNMP) as well as Remote Administration utilities (like VNC or RAdmin) to monitor/manage client’s computers & other network equipment. Scenario 2: Virtual Private Network with DMZ (Demilitarized Zone) [as shown on Page 23]. Every client’s network connects to MSP’s network via VPN. Customers’ computers as well as other network equipment cannot see or communicate with each other through MSP’s network. Furthermore customers’ computers as well as other network equipment can see only servers and/or other network equipment placed in DMZ of MSP’s network and cannot see MSP’s network itself. This scenario is perfect if you will use not only WMI/SNMP and Remote Administration utilities, but other solutions like Centralized Antivirus Update and Alerting or Windows Server Update Services. 21 Delivery Methodology
66. To optimize traffic load and to avoid confusion I recommend to use one VPN product per one backbone network at MSP’s office. Also, I recommend to use hardware VPN as a VPN product. If VPN tunneling and encryption tasks are carried out in software, it takes CPU cycles from other processes. This can become an issue. In contrast, a VPN appliance is built to handle all VPN tasks without putting an additional burden on any of your existing networking equipment. I will not describe how to create a VPN, because the procedure for creating a VPN for any product of any vendor may vary, even if it has similarities. Thus, my recommendation is to follow the instructions described in the manual of a particular product. Along with the choice of VPNs topology, you should think about creating your standard of domain names, hosts/nodes names, designation of IP addresses to provide it to your clients then. This is a very important task, which will safe you from headache and confusion as well as from failures of configurations in the future. Backbone networks. A backbone network or network backbone is a part of computer network infrastructure that interconnects various pieces of network, providing a path for the exchange of information between different LANs or subnetworks. A backbone can tie together diverse networks in the same building, in different buildings in a campus environment, or over wide areas. Normally, the backbone's capacity is greater than the networks connected to it. In our case, I consider a backbone network as the highest point in the hierarchy of Virtual Private Networks, which connect MSP’s office with clients’ offices. So, in my model the first octet of an IP Address is used to indicate the backbone network, two last digits of the second octet with three digits of the third octet are used to indicate a Client ID number and forth octet is used for designation of unique IP Addresses to network devices. Thus, one backbone network can contain up to 25550 networks. 24 Delivery Methodology [continuation]
67. Standards of Windows domain, host/node names; computer description; designation of IP addresses [as shown on Page 26]. Let’s take 10.xxx.xxx.0/24 network as a network assigned for a client & reserve 10 networks per a client just in case if the client has or may has more than one facility – one network per one facility. Let’s say that the first octet of 10.xxx.xxx.0/24 network indicates our backbone network; two last digits of the second octet with three digits of the third octet indicate a Client ID and the forth octet indicates hosts/nodes in the client’s network. Thus our backbone network can contain up to 25500 networks and indicates 2550 clients as we reserved 10 networks per a client (for example, 10.073.251.0/24 network will be assigned for a client with the Client ID 73251). Let’s take W00000AA as a computer (host) name and N00000AA as a Wireless Access Point (node) name for a client’s network. First letter of a device name indicates particular device (Workstation, Network device, etc.), next 5 digits indicate a Client ID and last 2 letters are used to assign a unique name to a device, furthermore both or one of the last 2 letters can indicate a role of a server or a network device. Keep in mind, that device name should contain no more than eight alphanumeric symbols (applies to computers, basically) and shouldn’t be started with digits or A-F letters (for example, if a client with the Client ID 73251 has a server, which role is DC; two network printers; a wireless access point and a laptop in its 10.073.251.0/24 network, device names can be S73251DC, P73251NA, P73251NB, N73251WA, L73251AA respectively). Let’s take client.local as a windows domain name for a client. Domain suffix “local” is used as a standard suffix for internal domains as it’s non-routable and intended to avoid DNS issues and to improve security of a domain. So, if our client is FIC with the Client ID 73251 and has a server in its 10.073.251.0/24 network, FQDN for the server will be S73251AA.FIC.LOCAL. To avoid confusion of customers’ computers it’s recommended to show a customer’s information in the customer’s computer description as well as name of a department that he/she works for. 25 Delivery Methodology [continuation]
68. 26 Delivery Methodology [continuation] Standards of Windows domain, hosts/nodes names; computer description; designation of IP addresses
69. One of the most common questions is what type of VPN a MSP should deploy. So, let’s go through some of the most basic considerations when choosing a VPN protocol – should it be IPsec, MPLS layer-3, MPLS layer-2, L2TPv3-based, or another technology? Some of the first questions that you will want to ask yourself when you are choosing a Site-to-Site VPN Technology or protocol include: Is cost is a primary concern? Is encryption and authentication required for your traffic? Is “native” multiprotocol transport or layer-2 connectivity important? Are you a service provider wishing to consolidate legacy and IP/MPLS network infrastructures? Is any-to-any (layer 3) connectivity required between sites? Is end-to-end quality of service (QoS) required? Is full control of routing between customer edge routers is required? Is simplified WAN routing desirable? Are additional managed services such as firewalled internet access/voice services required/desirable? Do you need to transport multicast traffic over your VPN? There are many other questions that you must ask yourself, but in order to keep this brief enough I’ll just stick with discussing the above. 27 What type of VPN to use?
70. Is cost is a primary concern? Cost is almost always important, but if it is a primary concern then an Internet-based IPSec VPN is often a good choice. Internet connectivity is relatively cheap, but because the Internet is insecure you’ll need IPSec to protect your traffic. Is encryption and authentication required for your traffic? If you need authentication and encryption for your site-to-site VPN traffic then IPSec is the way go. An IPSec VPN could be a standard IPSec VPN; it could be based on Cisco’s Dynamic Multipoint VPN (DMVPN) technology; or it could even be an MPLS or L2TP-based VPN with traffic protected using IPSec. But whatever the specific form of site-to-site VPN, you’re going to need IPSec if you require authentication and encryption. Is “native” multiprotocol transport or layer-2 connectivity important? The next question is whether “native” multiprotocol transport or layer-2 connectivity is important. If it is then a layer-2 VPN type such as a Virtual Private LAN Service (VPLS) or Virtual Private Wire Service (VPWS) based VPN may be a good option. It’s also possible to transport multiprotocol traffic over MPLS layer-3 and IPSec VPNs using GRE tunnels. Are you a service provider wishing to consolidate legacy and IP/MPLS network infrastructures? If you are a service provider looking to consolidate legacy infrastructure such as ATM/Frame Relay networks with your IP/MPLS infrastructure, as well as deploy newer services such as Ethernet over MPLS/L2TPv3 (EoMPLS/EoL2TPv3), then layer-2 VPNs may very well be the answer. This is because both MPLS and L2TPv3 pseudo wires (emulated circuits) can carry layer-2 traffic such as Ethernet, Frame Relay, ATM, HDLC, PPP, and even X.25. 28 What type of VPN to use? [continuation]
71. Is any-to-any (layer 3) connectivity required between sites? Any-to-any WAN connectivity can be advantageous for applications and traffic types such as voice and interactive video. If you would like any-to-any connectivity between sites then MPLS layer-3 VPNs or multipoint-to-multipoint layer-2 VPNs (VPLS) are good options. Other technologies such as DMVPN can also provide this type of connectivity. Is end-to-end quality of service (QoS) required? QoS can often be important to ensure that traffic and applications performance requirements in terms of latency, jitter (variable delay), and packet loss are met. QoS is especially important for traffic types such as voice. While QoS can be supported in a variety of VPN deployments, end-to-end QoS guarantees for specific applications and traffic types are commonly available with MPLS layer-3 VPNs. Is full control of routing between customer edge (CE) routers is required? If you absolutely need full control of routing between your sites then IPSec and MPLS/L2TPv3-based layer-2 VPNs are all possibilities. MPLS Layer-3 (RFC 2547bis/RFC 4364) VPNs are not an option if full control of routing is important because service provider edge (PE) routers will be involved in your routing, and you will therefore have some loss of control. This loss of control is often considered insignificant when compared to the advantages of deploying MPLS layer-3 VPNs, but it’s worth noting. 29 What type of VPN to use? [continuation]
72. Is simplified WAN routing desirable? Configuring WAN routing when there is any-to-any connectivity and routing adjacencies between (many) sites can be challenging. One way around this is, of course, to deploy a hub-and-spoke topology, but then advantages of any-to-any connectivity are lost. MPLS Layer-3 VPNs can provide any-to-any connectivity as well as providing simplified WAN routing. This is because, while IP traffic is forwarded over label-switched paths (LSPs) directly between sites over the service provider backbone network, customer edge (CE) routers peer only with their directly connected provider edge (PE) routers rather than with each other. Are additional managed services such as firewalled internet access/voice services required/desirable? Service providers can offer a variety of managed services to their customers such as firewalled Internet access and voice services. These managed services are most easily provided and most often available via MPLS Layer-3 VPNs. Do you need to transport multicast traffic over your VPN? MPLS layer-3 and IPSec VPNs do not natively support multicast. If you need to transport multicast traffic in an MPLS layer-3 VPN then you’ll need GRE tunnels or support for multicast VPNs (MVPNs). If you need to transport multicast over an IPSec VPN then you’ll need to use technologies such as GRE tunnels or Virtual Tunnel Interfaces (VTIs). 30 What type of VPN to use? [continuation]
73. Panurgy was founded in 1984 with the goal of creating a company that would specialize in meeting the needs of small and mid size companies who needed quality network services but didn’t have the full IT departments and IT budgets to do it themselves. Since that time, Panurgy has assisted companies in maximizing their technology functionality and predictability while freeing their IT staff from the complexity of managing their systems and networks in order to focus on their core business. Our full range of professional services includes: assessment, design, implementation, management and the security of data and voice network infrastructures. Founded in 1994 as Net Advantage, then First Chair Technologies, Adivi Corporation was originally a custom network services firm. When the Internet exploded and opened up a whole new range of possibilities for business, Adivi responded with renewed focus on making the world of technology a better place by sharing our expertise in developing interactive solutions. Adivi has helped Fortune 500 and startup companies alike successfully navigate the forbidding landscape of interactive technology, design, implementation and maintenance of critical business solutions. Vorspohl Automation GmbH was founded in 2001. Their scope and service include Computer control device for complex industrial units; Server systems; IT Service; Software solution for goods resources; Installation control service of electric devices; Start-up of process application; Service and storage for process data; Location network connection via VPN, Exchange and CRM, Microsoft Certified Partner, Database as Oracle, Microsoft SQL 2000/2005, Exchange 2003/2007; Visualized process automation in national language of the operator. 31 Case stories
76. ATM (Asynchronous Transfer Mode) is a standardized digital data transmission technology. ATM is implemented as a network protocol and was first developed in the mid 1980s. The goal was to design a single networking strategy that could transport real-time video conference and audio as well as image files, text and email. In computer security, a DMZ(Demilitarized Zone) is a physical or logical subnetwork that contains and exposes an organization’s external services to a larger untrusted network, usually the Internet. The term is normally referred to as a DMZ by IT professionals. It is sometimes referred to as a Perimeter Network. The purpose of a DMZ is to add an additional layer of security to an organization’s Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network. In information technology, DTLS (Datagram Transport Layer Security) protocol provides communications privacy for datagram protocols. DTLS allows datagram-based applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented TLS protocol and is intended to provide similar security guarantees. The datagram semantics of the underlying transport are preserved by the DTLS protocol – the application will not suffer from the delays associated with stream protocols, but will have to deal with packet reordering, loss of datagram and data larger than a datagram packet size. In the context of computer networking, Frame Relay consists of an efficient data transmission technique used to send digital information. It is a message forwarding "relay race" like system in which data packets, called frames, are passed from one or many start-points to one or many destinations via a series of intermediate node points. 34 Terminology [continuation]
77. GRE (Generic Routing Encapsulation) tunnels are designed to be completely stateless. This means that each tunnel end-point does not keep any information about the state or availability of the remote tunnel end-point. A consequence of this is that the local tunnel end-point router does not have the ability to bring the line protocol of the GRE tunnel interface down if the remote end-point is unreachable. The ability to mark an interface as down when the remote end of the link is not available is used in order to remove any routes (specifically static routes) in the routing table that use that interface as the outbound interface. Specifically, if the line protocol for an interface is changed to down, then any static routes that point out that interface are removed from the routing table. This allows for the installation of an alternate (floating) static route or for policy-based routing (PBR) to select an alternate next-hop or interface. HDLC (High-Level Data Link Control) is a bit-oriented synchronous data link layer protocol developed by the International Organization for Standardization (ISO). IPSec (Internet Protocol Security) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPSec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPSec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host. IPSec is a dual mode, end-to-end, security scheme operating at the Internet Layer of the Internet Protocol Suite or OSI model Layer 3. Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of these models. Hence, IPSec can be used for protecting any application traffic across the Internet. Applications need not be specifically designed to use IPSec. The use of TLS/SSL, on the other hand, must typically be incorporated into the design of applications. 35 Terminology [continuation]
78. In computer networking, L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy. MPLS (Multiprotocol Label Switching) is a mechanism in high-performance telecommunications networks which directs and carries data from one network node to the next. MPLS makes it easy to create “virtual links” between distant nodes. It can encapsulate packets of various network protocols. MPLS is a highly scalable, protocol agnostic, data-carrying mechanism. In an MPLS network, data packets are assigned labels. Packet-forwarding decisions are made solely on the contents of this label, without the need to examine the packet itself. This allows one to create end-to-end circuits across any type of transport medium, using any protocol. MPLS operates at an OSI Model layer that is generally considered to lie between traditional definitions of Layer 2 (Data Link Layer) and Layer 3 (Network Layer), and thus is often referred to as a “Layer 2.5” protocol. It was designed to provide a unified data-carrying service for both circuit-based clients and packet-switching clients which provide a datagram service model. It can be used to carry many different kinds of traffic. MPPE (Microsoft Point-to-Point Encryption) is a protocol for encrypting data across Point-to-Point Protocol (PPP) and Virtual Private Network links. It uses the RSA RC4 encryption algorithm. MPPE supports 40-bit, 56-bit and 128-bit session keys, which are changed frequently to improve security. The exact frequency that the keys are changed is negotiated, but may be as frequent as every packet. In computer networking, PPP (Point-to-Point Protocol) is a data link protocol commonly used to establish a direct connection between two networking nodes. It can provide connection authentication, transmission encryption privacy, and compression. 36 Terminology [continuation]
79. PPTP (Point-to-Point Tunneling Protocol) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. The PPTP specification does not describe encryption or authentication features and relies on the PPP protocol being tunneled to implement security functionality. However the most common PPTP implementation, shipping with the Microsoft Windows product families, implements various levels of authentication and encryption natively as standard features of the Windows PPTP stack. The intended use of this protocol is to provide similar levels of security and remote access as typical VPN products. In the field of computer networking and other packet-switched telecommunication networks, the traffic engineering term QoS (Quality of Service) refers to resource reservation control mechanisms rather than the achieved service quality. Quality of service is the ability to provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow. SSH (Secure Shell) is a network protocol that allows data to be exchanged using a secure channel between two networked devices. TLS (Transport Layer Security) and its predecessor, SSL (Secure Sockets Layer), are cryptographic protocols that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end. SSTP (Secure Socket Tunneling Protocol) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers. 37 Terminology [continuation]