integrating mobile access into vpn environmentThinking About Integrating Mobile Access into your VPN Environment Introduction If you haven’t already done so, you’re likely to soon face the task of integrating a variety of access services and Let’s look closer at some of the specific issues that arise when bringing new access methods onto your VPN. devices onto your Virtual Private Network (VPN). Most large organizations can’t afford to ignore the productivity benefits Coverage and Capacity By definition, mobile users can wind up in unpredictable locations, making it particularly challenging to assure that they always have of letting workers retain access to resources when they leave their desks. After all, mobile networks and broadband last-mile networks now reach far enough and deliver enough bandwidth to support LAN applications from nearly network coverage and adequate bandwidth. For example, for truly mobile users, mobile WAN services – also called cellular or 3G services anywhere. If employees aren’t forced off-line when away from their traditional wired work spaces, they can continue – offer the broadest coverage. However, today, the highest-speed mobile WAN services are generally available in the fewest locations. to participate in meetings and support supervisors and colleagues. This translates into bottom-line benefits. How Workers Connect to the Network Enterprise Integration Challenges Expanding the VPN to include multiple access networks and device types bodes well for boosting revenues and productivity. But the IT Remote Workers Mobile Workers DSL 70.4% 61.6% Cable Modem 70.4% 57.6% department will face some integration challenges. For example, IT will likely aim to keep access simple for end-users, which could make Dial-Up 63.2% 55.2% it difficult to also ensure that the disparate services conform to a unified security policy. Wi-Fi Hot Spot 32% 46.4% Cellular Data Service 27.2% 36% IT departments are also tasked with meeting mobile user expectations for continuous coverage and adequate bandwidth, coordinating billing Other 9.6% 7.2% from several access service suppliers and tracking and managing many disparate remote devices. Source: Eleventh Annual Network World 500 Research study, May 2005 (Multiple responses allowed / N=500) The VPN is embracing many diverse access methods, posing new management and security challenges for IT. Often, a global software client or Web-based portal that allows access to the VPN service via multiple access methods can help with ease of use. Depending on your philosophy, you might choose to deploy and manage the software client platform internally or in conjunction with a Classify Users with Needs Assessment A useful exercise in selecting packages of access services for users is to classify the remote-user population into categories based on a managed services provider or services aggregator. A service partner can often help unify and manage the billing, settlement and security issues, as well. needs assessment. You’ll want to determine how often an employee travels and where, as well as what each employee actually does when traveling. For users who basically use mobile access to keep up with messaging, for example, a minimum-minutes mobile WAN service plan might be Real-time applications will also drive Wi-Fi-to-cellular roaming, because such sessions cannot tolerate a break in connectivity adequate. But if the worker is basically conducting business while on the road in lieu of a stationary office, you’ll want to recreate a LAN-like when users cross a network boundary. This type of transparent interconnectivity will also eventually be required for the successful atmosphere to the degree possible. This might entail a mix of home broadband and several mobile wireless service types. And international implementation of presence-management applications and single- phone number support. It also will offer the potential for your users will require services and devices that work globally, whereas domestic users will not. business to save significantly on cellular phone bills when users are on-site. Once you have users classified into groups, you can consider purchasing a suite of appropriate access services and device(s) Wi-Fi Soars as Access Method 100 for each group. What to Ask Mobile OperatorsMobile WAN services will likely be part of the mix for at least some of your user population. •Balancing Speed and Availability – There are many generations of mobile WAN networks in various stages of deployment. As a result, different services with varying associated speeds are available from Millions of Units Sold Worldwide 75 50 25 17.7 36.1 80.4 area-to-area, and they work with different communications devices. 0 2004 2005 2006 2007 2008 Be sure to match the appropriate device with the appropriate service. If you select a newer, high-speed service, ask the service Source: Infonetics Research, Inc. provider whether it will “fall back” to the next-fastest service in non-coverage areas. Ask, too, whether the fall-back service will Shipments of Wi-Fi equipment grew 51% from 2003 to 2004 and are projected to grow another 123% by 2008. be accessible using the same device. Find out what the fall-back speed is, and whether it will meet the application needs of that On-Premises Wi-Fi Architecture user group. Many organizations also are installing wireless LANs in-house, either for specific niche applications or to enable general employee mobility. Check as to whether roaming agreements are in place with a given provider or whether the service provider plays the role of Wi-Fi, or 802.11 technology, has come a long way since it first became standardized in 1997. Any wireless operation can be tricky, but here aggregator to offer a larger coverage area. Often by merging the network footprints of multiple operators, users can get are a few tips to keep in mind. the collective effect of a seemingly much larger network. •Conduct a Site Survey – An installation of a decent size requires a If a user group will need both hot-spot (LAN-speed) and mobile WAN services, it might be financially beneficial to group them wireless LAN site survey. This exercise helps you determine where to install your access points (APs), the infrastructure radios that under a single billing plan, if available. Wi-Fi hot spots are available in increasing numbers of places, including airports, bridge your mobile users toyour wired network. The site survey helps ensure that you place APs so that 802.11 users can always hotels, convention centers, coffee shops, restaurants and even airplanes, and many of the same providers offer a mix of Wi-Fi find a signal and access resources. Recent tools help automate this process. Generally, though, some amount of walking around with a and mobile WAN services. scanner is required to unearth mysterious causes of interference and signal blockages. •Internetwork Roaming – You may wish toinvestigate a provider’s plans for supporting Wi-Fi-to-cellular service handoffs. Dual-mode devices are emerging that support both 802.11 and mobile WAN The site survey should account for whether you plan to use the Wi-Fi network to support voice over IP (VoIP) alongside data. VoIP connections, satisfying users’ itch to carry a single device for both voice and data. This is one factor driving mobile operators to will require much broader coverage, finer tuning, and likely more channels for quality of service (QoS). Follow-up site surveys expose transparently enable a switchover from one network to the other as more bandwidth becomes available or as the available network environmental changes and help you maintain performance. type simply changes. •Which 802.11 Technology(ies) to Use? – At this juncture, you It is a recommended best practice for endpoints with direct contact with the Internet to run a personal firewall to prevent hackers from must decide what mix of 802.11 networks you plan to use: 802.11b, 802.11g, 802.11a and, possibly, the emerging 802.11n for 100- gaining control of the endpoint device and, consequently, potentially piggybacking onto a VPN connection from there. In addition, data Mbps speeds and up. The 802.11n standard is not expected to be final until 2007. encryption (such as AES, IPSec or SSL, which requires no special client software) is important for protecting the privacy of data en route over The range, network speed, and interference issues vary with these network types. Adding 802.11a to the mix can be beneficial in a public Internet connection. Usually, only the organizations with the tightest security needs are likely to use encryption over a network- dense populations and where voice is supported. 802.11a uses a different frequency than 802.11g/b, avoiding interference, and also based VPN service, because it already provides the privacy of virtual circuits through a semi-private network. supports many more channels than the other networks. A radio can only transmit on one channel at a time. The more channels you have, the more radios (and users) you can support in a tight geographic area. The downside to 802.11a is that most of the Intrusion Detection and Prevention (IDS/IPS) installed client base today is based on 802.11b/g. This security category involves protecting the network against denial-of- service (DoS) attacks and other problems caused by malicious signatures and infections. Users might pick these up when they disconnect from your VPN, link to the public Internet when at home or on the road, then Mobile Operators Checklist reconnect to the VPN using the same device. Questions to Ask IDS/IPS has quickly become recognized as a “must” area for supporting users who go off- and on-net. It involves scanning What’s the coverage area? Is a fall-back available? endpoint devices when they connect to the VPN for compliance with antivirus, software patch and operating system version policies. What’s the fall-back speed? If a device is not in compliance or an infection is discovered, access can simply be blocked, or the connection can be redirected to a server Is the fall-back accesible from the same device? that brings the software up to date. Are there roaming agreements What are the billing options? There are several ways to implement IDS/IPS. Industry initiatives have teamed router and antivirus leaders, for example, to enable this What happens in WI-Fi to cellular service handoffs? Other? automated capability in the WAN access router. In addition, IDS/IPS services are available from some suppliers of the global remote-access client software mentioned that unify access method selection. Some VPN service providers also offer such a service. Security Threats and Mitigators The security threats associated with enabling mobile access to your VPN can be roughly categorized into a few main areas. Among them On the premises-based wireless LAN, you’ll also want to implement some degree of scanning for rogue Wi-Fi devices that might be are intrusions from infected mobile endpoints, the theft of data or authentication information from the airwaves in wireless networks, and attached to your network to detect and prevent access by unauthorized users. Scanning and device shutdown according to policy is available from some wireless LAN systems vendors, as well unauthorized entry intothe network from a “rogue” wireless device. as wireless LAN location specialists. This is becoming a must, given that wireless LAN network interface cards are bundled in nearly To a certain degree, your strategy for securing endpoints connecting to a network-based VPN (one that uses an infrastructure separate every laptop shipped and that Wi-Fi access points can be purchased at any electronics store. It is difficult to keep rogue devices out from the public Internet) will differ slightly than securing endpoints connecting to a CPE-, or Internet-based, VPN. Network-based without continually taking a peek at what’s connected. VPN users include those, for example, who are accessing agency resources from remote or branch offices via an MPLS, frame relay Data Theft: Break-in or Sniffing/Eavesdropping or ATM service. A related issue has to do with home users who may wish to use a home computer and a DSL, ISDN or dial-up connection for both VPN access and public Internet access. A recommended best practice is to Split Tunneling Agency Site tio n d Connec Encrypte VPN Concentrator Internet Remote workstation running VPN client software Third Party Server disallow a capability called “split tunneling,” by which the user can use the same VPN access connection to reach the corporate intranet and Management Issues Merging traffic from disparate access networks onto your VPN poses a number of management challenges. These can involve devices, users, to directly access the public Internet. It is recommended that users be required to access the Internet via the corporate VPN connection or software, airwaves and security policies. using an entirely separate account with the VPN disabled so as not to expose the VPN to intruders and infections. In Wi-Fi networks, consider setting specific policy for hot-spot usage, where, in some cases, user credentials are “in the clear” over the air Importance of Mobile Technology to Individual Job Success 44.1% before a user has been authenticated to the network. For example, if users already use VPN client software on their laptops, policy could 22.4% Critical Very Important require that they continue to use the software’s encryption capabilities when connecting at a hot spot. A policy could also require that Wi-Fi’s Somewhat Important Unimportant 31.2% 1.9% peer-to-peer mode be disabled on certain devices carrying sensitive information or that certain users’ hard drives be encrypted. 0.4% Don’t Know Source: “Communications, Mobility, and the Working World” report, Economist Intelligence Unit, Sept. 2004 (N=1500) In the case of mobile WAN data networks, depending on your degree of security needs, consider a direct link from your mobile operator’s Three-fourths of executive computer users said mobile access was either critical or very important to their job success. point of presence (PoP) to your VPN service, thereby bypassing the public Internet, if such a setup is available. Also, ask what, if any, data Managing Multiple Operating Systems encryption is bundled in with the service. If none is inherent to the service, you may wish to run VPN encryption software with your Many handheld devices in use run mobile operating systems, such as Symbian OS™ and BlackBerry®, with which IT departments are mobile WAN connections. unfamiliar. IT departments are accustomed to standardizing on a common client platform; now, a mix of laptops, handhelds, For on-premises Wi-Fi networks, there is a whole set of best practices centered around the IEEE 802.11i authentication and encryption smartphones and PDAs is growing difficult to support. standards. It is also considered prudent to regularly audit your Wi-Fi LAN – including checking AP configurations and monitoring over-the-air You can get the devices down to a more manageable number by performing the user-classification exercise described to evaluate user packets – to ensure that the various security mechanisms and policies that you think you have configured are, indeed, the ones being enforced. needs. You can then elect to standardize on an OS for each device- type category. Virtual LANs (VLANs) can be used to restrict access of guests, contractors, and others to certain resources. Similarly, the wireless In the meantime, there are multivendor management software products available for mobile environments, some of which include security VoIP network can be configured to access just one device – the IP PBX – so that intruders cannot gain access tosensitive servers via management, if you prefer to keep this function in-house. Some remote-access management and security services are also available. Wi-Fi Architectures and ScalabilityUntil a few years ago, all Wi-Fi networks consisted of a single, “intelligent” access point wired to a traditional Ethernet switch, endpoint security systems and IDSs/IPSs helps save on both operational expenses and alleviates the costs of network degradation and downtime. Without such assistance, it is difficult to supply with which mobile clients associated. network coverage and remain updated with a software patch or prevent a virus from bringing a network to its knees, even for a short These are still available; however, now there other configurations, including a number of centralized-management options. These period. These issues have both productivity and revenue repercussions. facilitate scalability as deployments grow, rather than having you configure and manage hundreds or thousands of APs one at a time. The hard costs associated with network degradation and downtime average $77 million annually, depending on industry, according to Some make use of so-called “thin APs” and controllers, whereby much of the intelligence once in the AP is now in a centralized device. Also, Infonetics Research’s January 2005 report, “The Costs of Enterprise Downtime: North American Vertical Markets.” They soar to $222 some of these controllers now contain automated tools for actually managing the RF air space for interference, location tracking and million in the financial sector. The softer costs of lost productivity and damaged reputation associated with network downtime are more difficult to calculate. security infractions. Finally, mesh architectures are available to alleviate the expense and burden of running cabling from AP to switch. Mesh APs automatically Conclusion Expectations are high for mobility in the workplace, because employees who have LAN-like capabilities when on the road or form a wireless backbone when they are powered up. APs autodiscover one another and route traffic across the air amongst themselves based on best-path conditions at the moment. working at home can continue to problem-solve and support colleagues from nearly anywhere. Managing Costs Wireless connections are routinely embedded in laptops and handhelds upon shipment and the availability of 802.11 APs in Many of the automated and centralized tools, aggregated service packages, and global client/portal options mentioned also help retail stores mean wireless is in the enterprise – whether or not it is formally sanctioned. As long as you have to manage and secure IT departments rein in the costs associated with running a mobile work force. wireless, you might as well benefit from it, too. From a service-cost perspective, you can save at least 30% on services by having a structured, centralized procurement plan rather than However, supporting mobile access connections brings with it a degree of responsibility and VPN integration challenges. Most of having individual departments across the organization buy their own services, according to Mobile Competency, a Providence, R.I., consulting them concern remaining consistent with meeting user expectations for application performance and network availability, continuing to form focused on enterprise mobile networking issues. Pricing plans tend to allow pools of minutes to be spread across users, rather than successfully manage and secure data – whether it resides in the network or on individual user devices – and preventing the disruptions individuals and departments wasting minutes or running over their allotment and having to pay steep per-minute mobile WAN charges. that can be caused by infections picked up by mobile devices from the public Internet. Often, too, it might require multiple services and carriers to attain the coverage required. Aggregators come in handy here; without one, Wireless LANs bring a unique set of new enterprise challenges, which fortunately are growing well documented with best practices. it could be difficult to negotiate a volume pricing plan and to validate disparate bills arriving from various providers, which is a costly and In addition, automated wireless management, monitoring and security tools, and global client software for unifying user access from a common time-consuming endeavor. platform are all becoming available to ease the IT department burden. Using these same tools while taking advantage of purchasing power Risks of Not Addressing Management Issues and aggregated connectivity and billing services can help get a handle on managing the costs of running a mobile workforce. Finally, using centralized management architectures, multivendor management software or services, automated management tools, |
|
In cities, towns and remote locations, mini satellite dishes point attentively to the Southern sky. Emblazoned with names like DirecTv,
ExpressVu, DirecWay, Web Conferencing, iNetVu, Linkstar, XM Satellite Radio, Sirius Satellite Radio
iDirect their numbers are growing at an amazing rate. Iridium Satellite Phone is the only provider of truly global satellite
voice and data solutions with complete coverage of the earth (including oceans, airways and Polar Regions).
Get the latest buzz on Free satellite tv systems - including the features and benefits that make them today's ultimate television viewing experience.(Get Dish)
Ever wonder why these satellite dish systems are in such great demand?
Does high speed internet service or digital television programming via satellite intrigue you?
If you've never heard of Cheap VoIP, get ready to change the way you think about long-distance phone calls. VoIP, or Voice over Internet Protocol, is a method for taking analog audio signals and turning them into digital data (IP packets) that can be transmitted over the Internet. |
