Using The Internet As A WAN Link? Use A VPN.

Stable and secure Windows Networking depends upon properly designed, routed, subnets. IP routing was designed to make Local Area Networks connect, yet still observe geographical relationships. Using routers between LANs allows localisation of some domain services (browsing, name resolution), but wide spread availability of others.

When you route IP connectivity thru wiring that you own and control, all connected LANs are as safe as any of those LANs. Threats on the outside (Internet) stay on the outside.

What if you have 2 LANs, distant from each other, and can’t justify the expense (initial or ongoing) of a leased or owned communication line? If both LANs have Internet access, you can still connect them, just use the Internet as the WAN link.

But wait! I hope you know how dangerous the Internet can be. It’s bad enough when accessing it as clients. Plain old web browsing is bad enough, how about running a server on the Internet? OK, how about running all of the computers on your LANs thru the Internet? Why not hold up a $100 bill, and stroll thru Times Square in New York City? See if you get anywhere alive.

But you can connect your LANs thru the Internet, if you design the connection properly. A controlled, encrypted tunnel between your LANs, using routers that support a Virtual Private Network (aka VPN) will do this fine.

A VPN will be a lot easier to setup, and more stable and secure, when properly planned.

Each LAN Is Addressed By Its WAN Address.
The VPN routers setup static tunnels between each other. Setting up a VPN router requires identifying the other router(s). If you can’t provide a fixed IP address for each router, you’ll have to use a domain name, registered with a dynamic DNS service like DynDNS, TZO, or the like.

Hardware Compatibilty Is A Must.
There are various conventions and standards for establishing, and conducting, authentication and encryption in a VPN. Each router manufacturer will likely have some variation, however small. The easiest, and most stable, VPNs will use router hardware of the same make, model, and firmware level.

LAN Subnets Must Be Unique.
A VPN provides a routed connection between LANs. In order for routing to work best, you have to have different subnets on each LAN. When you setup a VPN between LANs that were setup before being connected, you may have some LANs using the same subnet. You can’t have stable LANs, each having the same subnet, connected by a router.

Use DNS For Reliable Name Resolution.
On most small LANs, you’ll use broadcasts for name resolution. Broadcasts aren’t routable; each IP subnet is, by definition, a broadcast domain. If you want computers on one subnet to access computers on another (which is, presumably, why you’re setting up a VPN), you’ll want to use computer names, not IP addresses. DNS based name resolution is the only way to go, for anything more complex than a single local cluster of computers.

Use Domains, Not Workgroups.
If you use Network Neighbourhood to identify and access other computers, you’ll need browsing to work between the subnets connected thru the VPN. A properly designed domain structure will make browsing work much better.

Connectivity Between And LAN And The Internet Can Affect Its Connection With The Others.
A VPN connection between any two LANs requires Internet access by both. If one LAN has a dual WAN business class DSL service, and the other has residential class dialup, how secure and stable will that VPN be?

Security On Any LAN Can Affect The Others.
VPNs are used to connect geographically separate LANs, and imply some degree of trust between those LANs. The computers on any LAN, connected to a VPN, are only as secure as the computers on the LAN with the weakest security policies. Review, and synchronise security policies before setting up a VPN.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: