From the network perspective, there are at least two, and perhaps
actually three functional needs here. One is the static VPN between
headquarters and the branch office, and many devices on the market
can do that well.
To provide secure remote access, my favourite is the Cisco 3005.
Many VPN solutions I've evaluated include client programs that are
(a) much harder to configure/use, and (b) licensed per copy, so you
have to track who is using them. The client for the 3000 series used
to be a flat rate site license; if they've now made it per copy, it's
at least so cheap you can just buy a bunch and not bother tracking
them. (And yes, the 3005 can do point-to-point static VPN as well,
although you want another one or a PIX at the branch office end.)
The third requirement comes into play if you want users in the
office to be able to get to hosts on the Internet, and that's a job
for a firewall.
VPN boxes are generally Ethernet-only, and so there's going to need
to also be a router to connect between the Ethernet and whatever
technology connects the office to the Internet. It's *possible* to
use access lists on the router to provide firewall-like security;
where this breaks down is where you need to make routine changes to
policy -- on many routers, the only effective way to update an access
list is to enter a new one from scratch!
So I think a firewall appliance like the NetScreen-5 or the
SonicWall SOHO2 will pay for itself in ease of administration -- and
you could use one of these at the branch office end of the static VPN
for about a quarter the cost of a Cisco 3005.
One other VPN tip -- you'll get best results with a static VPN
between HQ and branch office if both are on the same provider
backbone. Backbone peering points tend to disrupt VPN tunnel
protocols.
All of this gets the branch office LAN and remote users onto the
internal network. Note that if you want NetBIOS/Network Neighborhood
across multiple subnets (you're going to have at least two, HQ and
branch, and I like to group remote users as a third), you'll want the
(a) server to provide WINS resolution.
That's the only part of the networking side that cares about
whether the use of the network is peer-to-peer or server-centric.
The two biggest requirements on the server are that it have lots of
disk space and a UPS. Your remote users are going to need to
authenticate against something, and my preference would be to
institute a domain structure (or perhaps Active Directory) so that
remote and local users authenticate against the same set of
accounts/passwords, but that's a recommendation and not a
requirement.
Dave Gillett
A+, MCSE, and now CCNA
On 15 May 2001, at 21:33, Ron Jobe wrote:
> A friend of mine wants to change their office network (Win9x
> peer-to-peer) to a server-style environment where the majority of
> the company's data would be stored on the "server". They also
> want to allow the employees to access this new server from outside
> the physical building (dial-up, VPN ?). They are also planning to
> open a small branch office that will be accessing the same server
> during business hours. I was thinking along the lines of an
> external router/firewall/VPN device, but that still wouldn't solve
> the server storage problem.
>
> Thanks for any suggestions!
> Ron Jobe
>
> PCBUILD's List Owners:
> Bob Wright<[log in to unmask]>
> Drew Dunn<[log in to unmask]>
>
The NOSPIN Group is now offering Free PC Tech
support at our newest website:
http://freepctech.com
|
