vpn hardware solution
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||
|
Posted by Larry Erickson on September 10, 2008, 9:36 am
Please log in for more thread options Hello, first let me say that I am not a network expert at all, and also thanks to whoever takes the time to read this. I work for a company that makes industrial monorail systems for the laundry industry. We will go into large industrial buildings and install many different network devices including computers, plcs, and remote IO devices. All of our devices need to have static IP address. We need to troubleshoot our devices remotely and most often we accomplish them by making the facility provide us with a dedicated phone line to our main PC, which although slow, is very reliable and simple to set up. Some customer are unwilling to give us phone lines and give us only a network connection and set up a VPN for us. This works but currently it seems that different IP departments set up VPNs differently, and sometimes we need special software to connect. We also don't know how to make these VPN's work without changing all of our network devices IP address (sometimes over 100 devices) to match the IPs of the VPN we are given. We would love to always go with VPN connections over a phone line because of the speed and other features we could use of having our systems on the internet, but would like them to work the same all the time and not require us to change the IP addresses of our devices. We were wondering if there was perhaps a hardware solution for this. Perhaps we could provide our customer with some type of VPN router that we tell our customers to just give internet too? Should we have too network cards in our main PC? I really have no idea how this type of networking works, but I feel that a solution for a problem exists. Thanks. Larry | |||||||||||||||||||||||||
|
Posted by jack masters on September 11, 2008, 6:25 am
Please log in for more thread options Larry Erickson wrote: Same problem here, different customers have different VPN implementations, IP ranges and restrictions. Most customers will not let you put anything on their network that connects directly to the internet and is outside their direct control. The current solution is to use a separate (minimal) virtual machine for each customer, and let the customers' IT support install whatever they deem necessary on that to get a VPN link working. VM goes back to the office, gets installed on a common server, and whoever needs to do support for that customer connects to the VM. If you like to keep your static IP address layout the same across multiple installations, you will need to separate your control network completely from the client's network, in case a client also uses that range on their network (a good idea anyway for other reasons) and run another tunnel (e.g. VPN or SSH with port forwarding) into that. Most major network vendors sell boxes that can be (ab)used for that, alternatively a small headless PC-like device (Soekris or similar) with two network adapters and Linux will do the job. J. | |||||||||||||||||||||||||
|
Posted by Larry Erickson on September 11, 2008, 8:23 am
Please log in for more thread options
> Larry Erickson wrote:
> > Hello, first let me say that I am not a network expert at all, and
y
> > also thanks to whoever takes the time to read this. =A0 I work for a > > company that makes industrial monorail systems for the laundry > > industry. =A0We will go into large industrial buildings and install man= > > different network devices including computers, plcs, =A0and remote IO
ed
> > devices. =A0All of our devices need to have static IP address. =A0We ne= > > to troubleshoot our devices remotely and most often we accomplish them
> > by making the facility provide us with a dedicated phone line to our > > main PC, which although slow, is very reliable and simple to set up. > > Some customer are unwilling to give us phone lines and give us only a > > network connection and set up a VPN for us. =A0This works but currently > > it seems that different IP departments set up VPNs differently, and > > sometimes we need special software =A0to connect. =A0We also don't know > > how to make these VPN's work without changing all of our network > > devices IP address (sometimes over 100 devices) to match the =A0IPs of > > the VPN we are given. =A0We would love to always go with =A0VPN > > connections over a phone line because of the speed and other features > > we could use of having our systems on the internet, but would like > > them to work the same all the time and not require us to change the IP > > addresses of our devices. =A0We were wondering if there was perhaps a > > hardware solution for this. =A0Perhaps we could provide our customer > > with some type of VPN router that we tell our customers to just give > > internet too? =A0Should we have too network cards in our main PC? =A0I > > really have no idea how this type of networking works, but I feel that > > a solution for a problem exists. =A0Thanks. >
> Same problem here, different customers have different VPN > implementations, IP ranges and restrictions. Most customers will not let > you put anything on their network that connects directly to the internet > and is outside their direct control. The current solution is to use a > separate (minimal) virtual machine for each customer, and let the > customers' IT support install whatever they deem necessary on that to > get a VPN link working. VM goes back to the office, gets installed on a > common server, and whoever needs to do support for that customer > connects to the VM. > > If you like to keep your static IP address layout the same across > multiple installations, you will need to separate your control network > completely from the client's network, in case a client also uses that > range on their network (a good idea anyway for other reasons) and run > another tunnel (e.g. VPN or SSH with port forwarding) into that. Most > major network vendors sell boxes that can be (ab)used for that, > alternatively a small headless PC-like device (Soekris or similar) with > two network adapters and Linux will do the job. > > J. Thanks a lot for your response. It is nice to know that other people have similar situations. I am pretty unfamiliar with virtual machines so I have a couple more questions. First, what is the reason most customers will not let you connect directly to the internet? Is is security, cost, or another reason? Is there anything that can be done to make this idea more appealing to customers? Also if you could connect directly to the internet, what would be the best way to remotely connect? We do like to keep all of our static IP address layouts the same across all our installations. As far as the virtual machine solution goes, what do you recommend using for a windows platform. I think you were saying to set up our normal network setting on our main pc, and then install a virtual machine on that pc also which the customers IT department installs their VPN link software. We then connect through the VPN to our pc's virtual machine, in which we can access our other network devices somehow. In your last paragraph, are you saying that we should always be using two network cards, or use a hardware solution that can provide the same thing? Sorry for all the questions, and again thanks for responding. Larry | |||||||||||||||||||||||||
|
Posted by Larry Erickson on September 11, 2008, 8:27 am
Please log in for more thread options
> Larry Erickson wrote:
> > Hello, first let me say that I am not a network expert at all, and
y
> > also thanks to whoever takes the time to read this. =A0 I work for a > > company that makes industrial monorail systems for the laundry > > industry. =A0We will go into large industrial buildings and install man= > > different network devices including computers, plcs, =A0and remote IO
ed
> > devices. =A0All of our devices need to have static IP address. =A0We ne= > > to troubleshoot our devices remotely and most often we accomplish them
> > by making the facility provide us with a dedicated phone line to our > > main PC, which although slow, is very reliable and simple to set up. > > Some customer are unwilling to give us phone lines and give us only a > > network connection and set up a VPN for us. =A0This works but currently > > it seems that different IP departments set up VPNs differently, and > > sometimes we need special software =A0to connect. =A0We also don't know > > how to make these VPN's work without changing all of our network > > devices IP address (sometimes over 100 devices) to match the =A0IPs of > > the VPN we are given. =A0We would love to always go with =A0VPN > > connections over a phone line because of the speed and other features > > we could use of having our systems on the internet, but would like > > them to work the same all the time and not require us to change the IP > > addresses of our devices. =A0We were wondering if there was perhaps a > > hardware solution for this. =A0Perhaps we could provide our customer > > with some type of VPN router that we tell our customers to just give > > internet too? =A0Should we have too network cards in our main PC? =A0I > > really have no idea how this type of networking works, but I feel that > > a solution for a problem exists. =A0Thanks. >
> Same problem here, different customers have different VPN > implementations, IP ranges and restrictions. Most customers will not let > you put anything on their network that connects directly to the internet > and is outside their direct control. The current solution is to use a > separate (minimal) virtual machine for each customer, and let the > customers' IT support install whatever they deem necessary on that to > get a VPN link working. VM goes back to the office, gets installed on a > common server, and whoever needs to do support for that customer > connects to the VM. > > If you like to keep your static IP address layout the same across > multiple installations, you will need to separate your control network > completely from the client's network, in case a client also uses that > range on their network (a good idea anyway for other reasons) and run > another tunnel (e.g. VPN or SSH with port forwarding) into that. Most > major network vendors sell boxes that can be (ab)used for that, > alternatively a small headless PC-like device (Soekris or similar) with > two network adapters and Linux will do the job. > > J. Thanks a lot for your response. It is nice to know that other people have similar situations. I am pretty unfamiliar with virtual machines so I have a couple more questions. First, what is the reason most customers will not let you connect directly to the internet? Is is security, cost, or another reason? Is there anything that can be done to make this idea more appealing to customers? Also if you could connect directly to the internet, what would be the best way to remotely connect? We do like to keep all of our static IP address layouts the same across all our installations. As far as the virtual machine solution goes, what do you recommend using for a windows platform. I think you were saying to set up our normal network setting on our main pc, and then install a virtual machine on that pc also which the customers IT department installs their VPN link software. We then connect through the VPN to our pc's virtual machine, in which we can access our other network devices somehow. In your last paragraph, are you saying that we should always be using two network cards, or use a hardware solution that can provide the same thing? Sorry for all the questions, and again thanks for responding. Larry | |||||||||||||||||||||||||
|
Posted by jack masters on September 11, 2008, 2:12 pm
Please log in for more thread options
Larry Erickson wrote: >
> Thanks a lot for your response. It is nice to know that other people > have similar situations. I am pretty unfamiliar with > virtual machines so I have a couple more questions. First, what is > the reason most customers will not let you > connect directly to the internet? Is is security, cost, or another > reason? Is there anything that can be done to make > this idea more appealing to customers? Also if you could connect > directly to the internet, what would be the best way > to remotely connect? Various security concerns; from the customers' point of view: 'There is something on my network that is connected directly to the internet; I have no control over setup, security updates etc., so I am not happy." If you do not have to be connected to the customer's own network (e.g. for SCADA systems that the customer wants to see from his desktop) there is normally no problem besides the cost of a separate connection. If there *is* a need to be connected to the customers' network, the best solution is to have the customer put in a firewall between your network and theirs. That puts updates and firewall maintenance responsibility on them too ;) >
> We do like to keep all of our static IP address layouts the same > across all our installations. As far as the virtual > machine solution goes, what do you recommend using for a windows > platform. I think you were saying to set up our > normal network setting on our main pc, and then install a virtual > machine on that pc also which the customers IT > department installs their VPN link software. We then connect through > the VPN to our pc's virtual machine, in which we can > access our other network devices somehow. Correct. We use VMWare, it is OS-independent for what we use (Windows VM running under Linux or Windows). Install VMWare on a laptop, let the customer play around in a VM to set up VPN, and copy the VM off the laptop later. On the server in the office you end up with a collection of VMs, if customer X needs support fire up the VM for customer X and connect. Caveat: most VPNs restrict any other network access as long as the VPN is connected, so if you have to copy files back and forth between office and site you have to copy them to the VM first, connect, then copy to site. > In your last paragraph,
> are you saying that we should always be using two > network cards, or use a hardware solution that can provide the same > thing? Sorry for all the questions, and again thanks for > responding. > Matter of personal preference, and budget. I prefer a separate device (e.g. I can also use it as a DHCP server for connecting laptops on-site, and set it up as a proper firewall between control network and generic office network), but a solution with two network cards, one inside the customer's network and one on the control network can work too. Beware of routing pitfalls if the customer's IP ranges overlap yours. If you have the customer give you VPN access they might even be able to put a firewall/router in that gives you direct access; otherwise you will have to set things up so that you have access through their VPN to a single IP address on the second network card, run a VPN or SSH server on your machine, and route through there into the rest of the control network. Standard boxes exist that can do this (Cisco ASA series comes to mind, other brands have similar things, but there you are talking fairly serious money). If you have the expertise in-house (or can borrow it from somewhere) to set up a small Soekris board it might be more cost-effective. And nobody says you can't have a back-up modem line attached to the same box, as a back-up in case the VPN doesn't work. At one site we have a little GSM modem that has come in handy when somebody dug up both the primary *and* the back-up network lines near a customer's site. All in all, it depends on how much money you want to spend, and how much time in setting it up. A second-network-card solution might be a bit of a pain to get set up, but if it is well-documented you start seeing the savings with the next site. J. | |||||||||||||||||||||||||
| Similar Threads | Posted |
| Looking for hardware VPN solution | October 24, 2006, 12:32 am |
| vpn hardware solution | September 10, 2008, 9:36 am |
| Solution for securing VPN using 2-factor SMS Authentication | June 11, 2005, 6:56 am |
| VPN-X: Simple but useful Cross-platform P2P IP VPN solution | November 10, 2007, 11:12 am |
| IPSec as solution to subnet problem | May 21, 2008, 9:07 am |
| Fuel Solution-Make Money 87405 | August 4, 2008, 12:12 pm |
| Software VPN vs Hardware VPN Efficiency | April 21, 2006, 9:32 pm |
| Cheap VPN Client Hardware | May 18, 2006, 5:57 pm |
| Hardware or software client? Pros and Cons? | December 5, 2005, 11:51 pm |
| Debug a Software ported in a Hardware Board that is 2000 km away from our location. | April 10, 2006, 5:55 am |
> also thanks to whoever takes the time to read this. I work for a
> company that makes industrial monorail systems for the laundry
> industry. We will go into large industrial buildings and install many
> different network devices including computers, plcs, and remote IO
> devices. All of our devices need to have static IP address. We need
> to troubleshoot our devices remotely and most often we accomplish them
> by making the facility provide us with a dedicated phone line to our
> main PC, which although slow, is very reliable and simple to set up.
> Some customer are unwilling to give us phone lines and give us only a
> network connection and set up a VPN for us. This works but currently
> it seems that different IP departments set up VPNs differently, and
> sometimes we need special software to connect. We also don't know
> how to make these VPN's work without changing all of our network
> devices IP address (sometimes over 100 devices) to match the IPs of
> the VPN we are given. We would love to always go with VPN
> connections over a phone line because of the speed and other features
> we could use of having our systems on the internet, but would like
> them to work the same all the time and not require us to change the IP
> addresses of our devices. We were wondering if there was perhaps a
> hardware solution for this. Perhaps we could provide our customer
> with some type of VPN router that we tell our customers to just give
> internet too? Should we have too network cards in our main PC? I
> really have no idea how this type of networking works, but I feel that
> a solution for a problem exists. Thanks.
>