Positive Networks Blog

We get calls all the time from companies that want to set up a site-to-site network securely over the Internet. Oftentimes they are replacing antiquated, super-expensive dedicated service from the phone company (T1 lines, ISDN, etc). There are a number of issues with site-to-site networking that need to be considered.

First, any site-to-site network has to be secure. It would be better to have a non-working site-to-site network than an insecure one. Virtually every company has some sort of sensitive data that they don’t want exposed to prying eyes, from payroll data to customer lists and so on. It turns out that the security requirements for a solid site-to-site implementation are very similar to the requirements for a good remote access VPN: data privacy through strong encryption, authentication of both ends of the connection to each other, and active monitoring of the connection.

The next most important aspect of a site-to-site network is getting (and keeping) it working. Set-up of site-to-site VPN connections is traditionally a job for network ninjas only, due to the vast array of choices and the myriad technical details that must be addressed during configuration. Network elements like NATs and firewalls tend to get in the way, as well. And with traditional site-to-site links (implemented using IPSec), having even one mis-matched parameter will prevent the connection from coming up.

Maintenance is also an issue. There is a well-known problem in site-to-site networking called the n-squared problem. It means that as the number of sites grow, the number of links you have to maintain between sites tends to grow quadratically. Here’s an example, based on IPSec: if you have two sites, you have 2 sets of configurations (one at each end). If you have 3 sites, you have 6 configurations (each router connecting to each other router). By the time you have 5 sites, you have 20 configurations, and if you’re unlucky enough to have 10 sites, you are at 90. A 100-site enterprise needs 9,900 router configurations to bring up all of its tunnels! Every time you add a site to the network, you have to touch every other site, and just setting up monitoring software to make sure the network is always working is a task in itself.

The last of the big issues I’m going to touch on today is performance. Site-to-site networks have even higher performance requirements than traditional remote access VPN connections, because an entire office of people is depending on the link instead of a single remote worker. Performance tuning of site-to-site VPN tunnels is a bit of an art, and it depends on the precise characteristics of the underlying network links. Sometimes adjustments to the applications themselves can be made to improve their performance, and sometimes network architecture changes can be implemented to work around slow links. In any case, having a highly tuned tunnel system is critical for a successful site-to-site deployment.

Of course, my favorite solution is to bring in Positive’s engineering team to handle all of these problems for you. Positive’s system was architected from the ground up to handle the security, scalability, manageability, and performance issues that are inherent in site-to-site networks. If you have questions about your own site-to-site situation, feel free to leave a comment or to give us a call.

This entry was posted on Wednesday, February 21st, 2007 at 12:57 pm and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.