vpn hardware solution

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


Hello, first let me say that I am not a network expert at all, and
also thanks to whoever takes the time to read this.   I work for a
company that makes industrial monorail systems for the laundry
industry.  We will go into large industrial buildings and install many
different network devices including computers, plcs,  and remote IO
devices.  All of our devices need to have static IP address.  We need
to troubleshoot our devices remotely and most often we accomplish them
by making the facility provide us with a dedicated phone line to our
main PC, which although slow, is very reliable and simple to set up.
Some customer are unwilling to give us phone lines and give us only a
network connection and set up a VPN for us.  This works but currently
it seems that different IP departments set up VPNs differently, and
sometimes we need special software  to connect.  We also don't know
how to make these VPN's work without changing all of our network
devices IP address (sometimes over 100 devices) to match the  IPs of
the VPN we are given.  We would love to always go with  VPN
connections over a phone line because of the speed and other features
we could use of having our systems on the internet, but would like
them to work the same all the time and not require us to change the IP
addresses of our devices.  We were wondering if there was perhaps a
hardware solution for this.  Perhaps we could provide our customer
with some type of VPN router that we tell our customers to just give
internet too?  Should we have too network cards in our main PC?  I
really have no idea how this type of networking works, but I feel that
a solution for a problem exists.  Thanks.

Larry

Re: vpn hardware solution


Larry Erickson wrote:
Quoted text here. Click to load it

Same problem here, different customers have different VPN
implementations, IP ranges and restrictions. Most customers will not let
you put anything on their network that connects directly to the internet
and is outside their direct control. The current solution is to use a
separate (minimal) virtual machine for each customer, and let the
customers' IT support install whatever they deem necessary on that to
get a VPN link working. VM goes back to the office, gets installed on a
common server, and whoever needs to do support for that customer
connects to the VM.

If you like to keep your static IP address layout the same across
multiple installations, you will need to separate your control network
completely from the client's network, in case a client also uses that
range on their network (a good idea anyway for other reasons) and run
another tunnel (e.g. VPN or SSH with port forwarding) into that. Most
major network vendors sell boxes that can be (ab)used for that,
alternatively a small headless PC-like device (Soekris or similar) with
two network adapters and Linux will do the job.

J.

Re: vpn hardware solution


Quoted text here. Click to load it

Thanks a lot for your response.  It is nice to know that other people
have similar situations.  I am pretty unfamiliar with virtual machines
so I have a couple more questions.
First, what is the reason most customers will not let you connect
directly to the internet?  Is is security, cost, or another reason?
Is there anything that can be done to make this idea more appealing to
customers?  Also if you could connect directly to the internet, what
would be the best way to remotely connect?

We do like to keep all of our static IP address layouts the same
across all our installations.  As far as the virtual machine solution
goes, what do you recommend using for a windows platform.  I think you
were saying to set up our normal network setting on our main pc, and
then install a virtual machine on that pc also which the customers IT
department installs their VPN link software.  We then connect  through
the VPN to our pc's virtual machine, in which we can access our other
network devices somehow.    In your last paragraph, are you saying
that we should always be using two network cards, or use a hardware
solution that can provide the same thing?  Sorry for all the
questions, and again thanks for responding.

Larry

Re: vpn hardware solution


Quoted text here. Click to load it


Thanks a lot for your response.  It is nice to know that other people
have similar situations.  I am pretty unfamiliar with
virtual machines so I have a couple more questions.  First, what is
the reason most customers will not let you
connect directly to the internet?  Is is security, cost, or another
reason?  Is there anything that can be done to make
this idea more appealing to customers?  Also if you could connect
directly to the internet, what would be the best way
to remotely connect?

We do like to keep all of our static IP address layouts the same
across all our installations.  As far as the virtual
machine solution goes, what do you recommend using for a windows
platform.  I think you were saying to set up our
normal network setting on our main pc, and then install a virtual
machine on that pc also which the customers IT
department installs their VPN link software.  We then connect  through
the VPN to our pc's virtual machine, in which we can
access our other network devices somehow.    In your last paragraph,
are you saying that we should always be using two
network cards, or use a hardware solution that can provide the same
thing?  Sorry for all the questions, and again thanks for
responding.

Larry


Re: vpn hardware solution


Larry Erickson wrote:

Quoted text here. Click to load it

Various security concerns; from the customers' point of view: 'There is
something on my network that is connected directly to the internet; I
have no control over setup, security updates etc., so I am not happy."
If you do not have to be connected to the customer's own network (e.g.
for SCADA systems that the customer wants to see from his desktop) there
is normally no problem besides the cost of a separate connection. If
there *is* a need to be connected to the customers' network, the best
solution is to have the customer put in a firewall between your network
and theirs. That puts updates and firewall maintenance responsibility on
them too ;)

Quoted text here. Click to load it

Correct. We use VMWare, it is OS-independent for what we use (Windows VM
running under Linux or Windows). Install VMWare on a laptop, let the
customer play around in a VM to set up VPN, and copy the VM off the
laptop later. On the server in the office you end up with a collection
of VMs, if customer X needs support fire up the VM for customer X and
connect. Caveat: most VPNs restrict any other network access as long as
the VPN is connected, so if you have to copy files back and forth
between office and site you have to copy them to the VM first, connect,
then copy to site.

 > In your last paragraph,
Quoted text here. Click to load it

Matter of personal preference, and budget. I prefer a separate device
(e.g. I can also use it as a DHCP server for connecting laptops on-site,
and set it up as a proper firewall between control network and generic
office network), but a solution with two network cards, one inside the
customer's network and one on the control network can work too. Beware
of routing pitfalls if the customer's IP ranges overlap yours.
If you have the customer give you VPN access they might even be able to
put a firewall/router in that gives you direct access; otherwise you
will have to set things up so that you have access through their VPN to
a single IP address on the second network card, run a VPN or SSH server
on your machine, and route through there into the rest of the control
network.
Standard boxes exist that can do this (Cisco ASA series comes to mind,
other brands have similar things, but there you are talking fairly
serious money). If you have the expertise in-house (or can borrow it
from somewhere) to set up a small Soekris board it might be more
cost-effective.
And nobody says you can't have a back-up modem line attached to the same
box, as a back-up in case the VPN doesn't work. At one site we have a
little GSM modem that has come in handy when somebody dug up both the
primary *and* the back-up network lines near a customer's site.

All in all, it depends on how much money you want to spend, and how much
time in setting it up. A second-network-card solution might be a bit of
a pain to get set up, but if it is well-documented you start seeing the
savings with the next site.

J.

Site Timeline