IPSec in the Intranet
The following case studies look at the implementation of IPSec Intranet VPNs in the real world. Focussing on the infrastructure on which the networks were built, the examples tell the story of why IPSec was required.
- REDUCING COSTS IN A NATIONWIDE NETWORK
- SIMPLIFYING MANAGEMENT IN THE CENTRALIZED NETWORK
- NETWORK SEGMENTATION
- INTERNAL DATA PROTECTION
- USING THE INTERNET AS A SECONDARY NETWORK
Internet.com's PC Webopaeida defines an Intranet as "A network based on TCP/IP protocols (an internet) belonging to an organization, usually a corporation, accessible only by the organization's members, employees, or others with authorization." IPSec fits into the Intranet mold by serving as an enabling technology for the building of multi-site Intranets on public network foundations: VPNs. Firewall and strong user authentication (such as RADIUS) are useful for limiting access to Intranets, but they are worthless if not coupled with protective mechanisms for information flowing between Intranet sites.
Intranets serve a number of different purposes within organizations. For some, they are meant to provide employees with updated information on benefits, pensions, company policies or procedures. For others, Intranets collate documents -- such as forms, contracts or user guides -- into easily accessible libraries, often interfaced to the employee as web-like portals or indexes. In the VPN Intranet, applications and infrastructure are combined. The Intranet VPN is how and what information is shared internally, to all members of the organization, wherever employees may be.
<>INTRANET CASE STUDY 1: REDUCING COSTS IN A NATIONWIDE NETWORKA large financial institution in the United States used a number of different media, Frame Relay, leased lines, satellites, and others, to connect its branches nationwide. Faced with the need to reduce its networking costs, the institution chose to transfer its communications infrastructure to a single public IP network. In order to make the transition to the shared medium, two specific needs had to be resolved: security and network reliability. As a financial institution, it placed great emphasis on the privacy of information to be transmitted over its network, insisting on the strongest, standardized public-key cryptographic methods available, including authentication controls. The immediacy of its information provision demands also required 24x7 availability, with guaranteed network performance and capacity. The solution chosen was an IPSec VPN built on a national carrier's portion of the public Internet backbone. The IP network provided to the customer (the financial institution) is used by others, thus the necessity for IPSec, but because the carrier uses its own network as the VPN's foundations, it is able to provide the customer with bandwidth levels guaranteed in a service level agreement (SLA). Thus, the customer was able to reduce costs, maintain reliability and ensure information privacy. Top<>INTRANET CASE STUDY 2: SIMPLIFYING MANAGEMENT IN THE CENTRALIZED NETWORKThis next case study looks at a bank in Europe that is designed, from the networking perspective, as a centralized organization. It has a headquarters site, where databases and mainframes are located, and branch offices where customer needs are addressed. Three characteristics describe the bank's communications network. It is built in a star topology - the branches rely on the central databases and mainframes. The sensitivity of data (and government regulations) requires security precautions, with link encryption systems functioning on each connection. The backbone is a private network This bank, unlike Case Study 1, chose to maintain its private network, although it did move from dedicated lines to Frame Relay. Here the motivating factor was not cost reduction. Instead, the bank looked for a way to simplify the security and management of its network. The use of link encryptors raised two major problems: Lack of central management capabilities - the encryptors in the network can only be managed on a box-by-box level. Network-wide changes require painstaking work on the part of the network management team. Burdensome quantities of security devices - for every link encryptor added at a remote site, a "twin" must be added at the central site. This raises two problems: if a new branch is added to the network, two boxes must be purchased per link (four if redundancy is required); and security management at headquarters becomes impossible, with endless numbers of encryptors requiring maintenance on a continuous basis. The transition to IPSec VPN simplified the bank's communications system. download ultrasurf Unlike link encryption, IPSec operates on a network level. Thus, the branches and the headquarters only require one encryption device to create secure links between all sites. In this specific case, two devices were installed at each site, to provide hot backup capabilities in the event of network failure on one of the links. IPSec was also a simplifying factor from the management perspective. Virtualfilers's devices make it possible to manage security on a central or regional level. This specific case required central management, and with the help of the Virtualfiler solution the bank is able to update policies of specific branches, or of the entire network, from headquarters.