How-to: Moving to VPNs from leased lines

Question: My company would like to replace a lot of our leased lines with an Internet and VPN solution. We’re paying a small fortune for the leased lines, and because all of our offices have T-1 or better Internet connectivity, it seems like a waste to also have the leased lines.

First, what do you think of this idea? And second, what products would you recommend I look at? We are hoping to make this move in the near future, and we want an established product. Our preferred network equipment vendor is Cisco Systems Inc., but we will look at other solutions.

Brooks: For the most part, I don’t have a problem with your idea to switch to a VPN from leased lines. You should be aware, however, that you may experience reduced connectivity-probably nothing drastic, but depending on your application, a tenth of a per cent of downtime may be unacceptable.

You’ll have the best luck if all of your locations use the same large Internet carrier: Your traffic will stay on their backbone and you won’t have to worry about tracking down peering arrangements or about your traffic going through large Internet exchanges, which are often a problem. If you can’t get the same carrier at every location, you’ll want to make sure that the various carriers you do get have private peering arrangements in which their networks are directly connected, thus bypassing the public Internet exchanges.

It sounds as if you’re talking about “stringing” permanent VPNs between locations, but in upgrading, you’ll also be able to allow mobile clients to connect to the home network securely. If you don’t want that, you can disable it, of course, but once the capability is there, most people find uses for it.

There are any number of solid products out there. I’m still a fan of the Nortel Contivity series, formerly Bay Contivity, and New Oak before that. I’ve used them in the “real world” and they’ve served me well, although their high-end products are surprisingly heavy and have led to a few pulled back muscles. You’ll need some help; don’t try to put them in a rack by yourself!

I don’t have direct experience with Cisco’s solution, but I would expect that it would be comparable. There are also several respectable VPN plug-ins for common firewalls. You might consider some of these plug-ins, depending on your traffic load.

Lori: Well, I think it is a good idea to get rid of at least some of your leased lines and move to a VPN solution; leased lines can be very expensive. There’s one thing to keep in mind, though: If your network traffic over the leased lines is time-sensitive or mission-critical, you may want to keep some of those lines. VPNs are a great low-cost way to connect your offices, but you also have to deal with Internet bottlenecks as a result. And leased lines do provide a reliable, more secure setting for connections.

When making your product selection, ask yourself what level of security you will need and how many people will need access. Also, managing a VPN solution will require a different set of skills than those needed for managing leased lines. Installation will require more hands-on involvement from IT, and there will be ongoing maintenance and troubleshooting issues.

The list of possible solutions can get pretty long. But here are some of the biggest names in this area. Lucent Technologies offers solutions such as VPN Gateway, which is geared toward large enterprise corporations and service providers. Another possibility is Check Point’s VPN-1 Gateway. Other vendors include Nortel Networks, 3Com, and VPNet.

You mention that you are interested in Cisco equipment. Like Brooks, I don’t have direct experience with these Cisco products, but I’ve heard very good things about them. Cisco offers a Secure PIX Firewall that is a powerful firewall that includes IPSec (IP Security) VPN capabilities.

Best of luck in reducing excess costs and securing yourself with a VPN solution that suits your needs.