EXPERT RESPONSE
To create a secure site-to-site VPN connecting your offices to your HQ, you have two topology options: hub-and-spoke or full-mesh.
In hub-and-spoke, all offices will have one VPN tunnel to your HQ's VPN gateway. Use this topology if most offices need to communicate only with HQ and rarely/never with each other, or if you'd like to centralize all traffic control and monitoring at your HQ.
In full-mesh, every office will have one VPN tunnel to every other office and HQ. Use this topology if offices need to communicate with each other frequently, at high volume, or if you don't want inter-office communication to depend on HQ availability.
For each topology, you'll need to deploy a VPN gateway at every office and at your HQ. Start by looking at VPN options associated with whatever DSL router/firewall you already have at each location. It's very possible that existing routers/firewalls can be used as IPsec VPN gateways. Consult product documentation to determine available VPN features and options.
If your offices use a mixture of router/firewall products, you'll need to ensure that all seven support a common subset of VPN protocols and security options. That can be a bit harder, but not impossible -- again, consult your vendor for FAQs or tech support notes that provide instructions on how to pair with other vendor VPN gateways.
If you are unable to use your existing DSL routers/firewalls as VPN gateways, you may want to purchase new security appliances to be installed between each DSL router and office network. Security appliances are sold in many sizes and prices, so you'll need to consider how much traffic you'll be sending between offices. In particular, you may want a new security appliance for your HQ if you use hub-and-spoke VPN topology, since that "hub" becomes a potential bottleneck and must perform well, with sufficient availability.
Although it is old now, you might find it useful to read this VPN RFP series that I wrote for ISP-Planet. That RFP illustrates site-to-site VPN configurations similar to the one that you are trying to create, and discusses requirements you should consider. The RFP is written from the point of view of an ISP offering managed VPN services. In fact, purchasing site-to-site VPN services is another option you may want to consider. For recent examples of managed VPN services and features, see this annual MSSP survey that I conducted in December 2004.
|
