How to build a Computer Network for a small business

how to design a computer network for a small business pdf free download
MarthaKelly Profile Pic
MarthaKelly,Mexico,Researcher
Published Date:12-07-2017
Your Website URL(Optional)
Comment
Degree Project Computer network for a company with remote branch offices Desislav Ivanov 2010-10-19 Subject: Computer Systems and Technologies Level: Bachelor Course code: 2DV00E School of Mathematics and Systems Engineering Reports from MSI Computer network for a company with remote branch offices Desislav Pavlov Ivanov i Abstract The purpose of this project was to design a network for a company with remote branch offices. The author has interest in network architectures and wished to gain improved knowledge of remote networks. Comparative method was used in this project. Information was collected, analyzed, and choices were made to choose the right network design solutions for the goal of this project. The designing of a reliable, scalable, and secure network is a complex task that requires knowledge and experience over the wide area of computer networking, including knowledge of network device configuration, network types, routing protocols, potential security threats and many more. In this project the main approaches in network design were covered, and some of them demonstrated. Demonstration network was developed using the Graphic Network Simulator (GNS) software for simulating network devices. Keywords: network design, corporate network, network architecture, remote networks, branch network, enterprise network branch, branch architecture, remote access ii Contents 1 Introduction .............................................................................................................. 1 1.1 Problem Definition ........................................................................................... 1 1.2 Motivation ........................................................................................................ 1 1.3 Method .............................................................................................................. 1 1.4 Restrictions ....................................................................................................... 1 1.5 Structure of report ............................................................................................. 2 2 Theory ....................................................................................................................... 3 2.1 Company computer network with branches ..................................................... 3 2.1.1 Network Infrastructure and Architecture ...................................................... 3 2.1.2 Services ......................................................................................................... 7 2.1.3 Communication and integration ................................................................... 8 2.1.4 Authentication ............................................................................................ 18 2.1.5 Management ............................................................................................... 19 2.1.6 Security ....................................................................................................... 22 2.1.7 Solutions and examples .............................................................................. 25 2.2 Methodological aspects of the design ............................................................. 27 2.2.1 Top-down and bottom-up design approaches ............................................. 27 2.2.2 Modular design ........................................................................................... 27 2.2.3 Prepare, Plan, Design, Implement, Operate, Optimize (PPDIOO) Network Lifecycle Approach ................................................................................................ 30 2.3 Conclusion, Aims and Purposes ..................................................................... 32 3 Designing ................................................................................................................ 33 3.1 Company network with remote branch offices architecture, services and communication ........................................................................................................... 33 3.1.1 Architecture ................................................................................................ 33 3.1.2 Services ....................................................................................................... 38 3.1.3 Branch office connectivity, communication, and integration ..................... 39 3.1.4 Designing the enterprise Internet edge topology ........................................ 42 3.2 Organizing the remote branch offices ............................................................ 45 3.3 Analysis, evaluation and testing of the solution ............................................. 46 Results ............................................................................................................................ 50 4 Discussion on results .............................................................................................. 51 4.1 Conclusion ...................................................................................................... 51 4.2 Recommendations .......................................................................................... 51 4.3 Future work .................................................................................................... 51 References .................................................................................................................. 52 Appendix A .................................................................................................................... 54 Network documents and decisions ............................................................................. 54 Appendix B ..................................................................................................................... 60 Test results .................................................................................................................. 60 iii List of abbreviations • LAN – Local Area Network • MAN – Metropolitan Area Network • WAN – Wide Area Network • PSTN – Public Switched Telephone Network • DHCP – Dynamic Host Configuration Protocol • DNS – Domain Name System • AMANDA - Advanced Maryland Automatic Network Disk Archiver • ZRM – Zmanda Recovery Manager • LRS – Mandriva Linbox Rescue Server • VPN – Virtual Private Network • IPsec – Internet Protocol Security • SSL – Secure Sockets Layer • L2TP – Layer 2 Tunneling Protocol • PPTP – Point to Point Tunneling Protocol • OSI – Open System Interconnection • IP – Internet Protocol • IOS – Internetwork Operating System • PIX – Private Internet eXchange • ASA – Adaptive Security Appliance • TCP – Transmission Control Protocol • UDP – User Datagram Protocol • POP – Post Office Protocol • SSH – Secure Shell • PAP – Password Authentication Protocol • CHAP – Challenge-Handshake Authentication Protocol • MS-CHAP – Microsoft CHAP • MPPE – Microsoft Point-to-Point Encryption • NAT – Network Address Translation • PPP – Point to Point Protocol • GRE – Generic Routing Encapsulation • RADIUS – Remote Authentication Dial In User Service • AAA – Authentication, Authorization and Accounting • SNMP – Simple Network Management Protocol • DoS – Denial of service • ACL – Access Control List • DMZ – Demilitarized Zone • VoIP – Voice over IP • ISP – Internet Service Provider • PPPoE – Point to Point Protocol over Ethernet • IPS – Intrusion Prevention System • NAC – Network Admission Control • VLAN – Virtual LAN • QoS – Quality of Service • ATM – Asynchronous Transfer Mode • PPDIOO – Prepare, Plan, Design, Implement, Operate, and Optimize • SLA – Service Level Agreement • ACL – Access Control List • ISR – (Cisco’s) Integrated Services Router iv List of figures and tables Figures: Figure 2.1 Access/Distribution/Core model ..................................................................... 3 Figure 2.2 Sample corporate network based on Access/Distribution/Core model ........... 4 Figure 2.3 Different size branch offices ........................................................................... 5 Figure 2.4 Typical Enterprise topology ............................................................................ 6 Figure 2.5 Detailed Typical Enterprise Architecture ....................................................... 7 Figure 2.6 WAN Connectivity Options ........................................................................... 9 Figure 2.7 WAN aggregation topology ............................................................................ 9 Figure 2.8 Performance metrics associated with the ISR series routers ......................... 13 Figure 2.9 VPN device placed parallel to a firewall....................................................... 13 Figure 2.10 VPN device placed in the DMZ zone ......................................................... 14 Figure 2.11 Integrated VPN and firewall device ............................................................ 14 Figure 2.12 IPsec Phases in Cisco Devices ................................................................... 15 Figure 2.13 SSL VPN Connection ................................................................................. 16 Figure 2.14 L2TP over IPsec Negotiations .................................................................... 17 Figure 2.15 PPTP Connection Negotiations ................................................................... 18 Figure 2.16 Access management in an enterprise using RADIUS ................................. 19 Figure 2.17 Configuration Mechanisms for Network Management............................... 20 Figure 2.18 Traffic Flows for In-Band Management ..................................................... 20 Figure 2.19 Traffic Flows for Out-of-Band Management .............................................. 21 Figure 2.20 A Combination of In-Band and Out-of-Band Management Traffic Flows 21 Figure 2.21 Hierarchical Management Separates Management into Distinct Functions 22 Figure 2.22 Single firewall DMZ Architecture .............................................................. 23 Figure 2.23 Dual firewall DMZ Architecture ................................................................. 24 Figure 2.24 ISR Small Branch Office Deployment ........................................................ 25 Figure 2.25 Corporate branch offices ............................................................................. 26 Figure 2.26 New York branch office .............................................................................. 27 Figure 2.27 PPDIOO Network Lifecycle Approach ...................................................... 30 Figure 2.28 Identifying Customer Requirements ........................................................... 31 Figure 3.1 Remote Access Infrastructure ....................................................................... 34 Figure 3.2 Placing the Remote Access Firewalls ........................................................... 34 Figure 3.3 Border routers’ Internet connectivity ............................................................ 35 Figure 3.4 Cisco ASR 1000 Services ............................................................................. 36 Figure 3.5 Cisco ASR routing positioning ..................................................................... 36 Figure 3.6 Campus network............................................................................................ 43 Figure 3.7 Campus network - DMZ and Internet edge................................................... 44 Figure 3.8 Campus network - Remote access VPN cluster ............................................ 45 Figure 3.9 Branch Office Architecture ........................................................................... 46 Figure 3.10 HSRP Testing Environment ........................................................................ 48 Figure 3.11 Turning off HSRP Active router BR1 ......................................................... 49 Figure 3.12 VPN test topology ....................................................................................... 49 v Tables: Table 2.1 Feature Requirements for WAN Aggregation Role ....................................... 10 Table 2.2 Feature Requirements for WAN Aggregation Role (Cont.) ........................... 10 Table 2.3 SLA Requirements ......................................................................................... 11 Table 2.4 Details for Securing WAN traffic................................................................... 11 Table 2.5 Remote Access VPN Technologies Summary ............................................... 18 Table 3.1 Cisco ASR 1000 series models ...................................................................... 36 Table 3.2 Cisco ASA 5500 Series Model Comparison .................................................. 37 Table 3.3 Private WAN vs. Site-to-site VPN ................................................................. 40 Table 3.4 Cisco ISR Series Comparison ........................................................................ 41 Table 3.5 ASA and ISR performance assessment .......................................................... 47 vi 1 Introduction Computer networks nowadays take a very significant place in business. It is very critical for business to use the latest technologies available because they provide enhanced security, increased storage capacity, high data transfer rates, real-time voice and video, and much more. Such benefits are strongly needed for a growing company or large enterprise. As a company grows it needs to have authorized representatives on different locations, which are usually spread in large geographical areas. The best solution is to invest for a branch office at the needed locations. This is very common scenario with companies developing software solutions; they either expand to a new location closer to potential customers or devour a small company with similar activities. Either way the headquarter office needs a reliable, secure, and fast connection to the offices at the remote locations. The project is focused on the connection between the main office and the remote offices – branch offices, home workers, and mobile workers. In the first part of the project some different options for the communication between the corporate network and the remote networks are reviewed. In the second part, one of these options is chosen. 1.1 Problem Definition The final goal of this project is to show a design of a corporate computer communication network with a branched network of affiliate. The requirements we have on our solution are that the branched network of affiliates could be regionally- extended, international-extended or worldwide-extended with focus on the remote branch network implementation. 1.2 Motivation The motivation behind this project is based on some previous knowledge and experience in networking, network protocols, and configuration of Cisco network devices. What we hope to achieve at the end of the project is to improve our network design skills by doing research in that area and use the gathered knowledge for designing a network that will solve the problem. 1.3 Method We used comparative method in this project. In Chapter 2 we collect information about enterprises with remote branches network architectures and present different approaches. In Chapter 3 we analyze the collected solutions, compare them and decide which one to use for the goal of this project. 1.4 Restrictions Because of the background knowledge and experience we have with Cisco, and because Cisco is one of the biggest solution providers in networking (for example Juniper is another big network solution provider) and offers wide area of network solutions (from small/home office to complex corporate solutions) the project is based on Cisco strategies, advices, and equipment. Network design by general is a very wide area and designing a corporate network with branches is complex task to accomplish. For this project it would be practically not feasible to analyze every single aspect of the network design for large scale company in details. The project focuses on the remote networks as branch offices with details for the functions, services, communication, integration, structure etc., on the background of a 1 corporate network. From the side of the corporate network will be discussed only the network elements needed for the remote access networks to operate. 1.5 Structure of report This report is organized into four chapters. In Chapter 1 the main goals of the project are pointed out. In Chapter 2 the main theoretical aspects of the work are discussed. It covers enterprise network architecture, remote branch network solutions, security, communication, and in the last section shows some sample network topologies. Chapter 3 is focused on designing a network solution for the goal of this project. Enterprise campus network topology is suggested as well as solution topology for the branch offices. Chapter 4 is summary of the work. Recommendations and conclusions are made and possible future work on the problem is suggested. 2 2 Theory This chapter covers the basic theoretical knowledge that we would be needed in the designing process. The chapter is divided into four main sections. Section 2.1 contains information about company computer network with branches – architecture, services, communication and integration; section 2.2 discusses the methodological aspects of design – advices and steps we should follow when designing a network; and in section 2.3 are conclusions, aims and purposes. 2.1 Company computer network with branches 2.1.1 Network Infrastructure and Architecture In the development of our network there are several architectural models we can use as a starting point, either as a foundation of the network or build upon existing network. We will discuss three types of architectural models: o Topological models, which are often used as starting point in the development of a network. These models are based on geographical or topological arrangement of network devices. o Flow-based models, which are focused on and take advantage of a particular traffic flows o Functional models – there models are based on one or more functions or features planned for in the network. Usually the network is built using more than one of the architectural models. Topological models Access/Distribution/Core and LAN/MAN/WAN models are most commonly used. We can also use them because they are simple and intuitive, and they are based on geographical or/and topological separation of networks. They also indicate the degree of hierarchy planned for the network (shown in Figure 2.1). If we need we can also not use all of the levels of the models or if we need more we can expand them to show as many as we need. For example we can use the only LAN/WAN from the model as we assign campus, buildings, or even floors to the LAN. However, the Access/Distribution/Core model focuses on function instead of location. Both the LAN/MAN/WAN and Access/Distribution/Core models are used as starting points in the network architecture, as both are intuitive and easy to apply. They can be restrictive, however, in that they place strict boundaries between areas. Figure 2.1 Access/Distribution/Core model 9 3 Figure 2.2 shows a sample corporate network based on this topological model. On the figure the different layers can be clearly seen. Figure 2.2 Sample corporate network based on Access/Distribution/Core model 9 Flow-based models The flow-based models we will discuss are peer-to-peer, client–server, hierarchical client–server, and distributed computing. o Peer-to-peer – the users and applications in this model are consistent throughout the network, there are no obvious locations for architectural features. This pushes the functions, features, and services toward the edge of the network, close to users and their devices. o Client–server – functions, features, and services are focused at server locations, the interfaces to client LANs, and client–server flows. The characteristics of the client–server model also apply to the hierarchical client– server architectural model. In addition to the functions, features, and services being focused at server locations and client–server flows, they are also focused at the server–server flows. o Distributed-computing – in this model the data sources and sinks are obvious locations for architectural features. Flow-based models, like the topological models, are intuitive and can be easy to apply. Since they are associated with flows, they should map well to any flow maps we created as part of the requirements analysis process. These models are fairly general, and they have to be modified to fit the specific requirements of a network. Functional models These models focus on supporting particular function in the network, like service- provider, intranet/extranet, single-/multi-tiered performance, and end-to-end models. o The service-provider architectural model is based on service-provider functions, focusing on privacy and security, service delivery to customers (users), and 4 billing. Many enterprise networks are evolving to this model, applying it across organizations, departments, and buildings. o The intranet/extranet architectural model focuses on security and privacy, including the separation of users, devices, and applications based on secure access. o The single-/multi-tiered performance architectural model focuses on identifying networks or parts of a network as having a single tier of performance, multiple tiers of performance, or having components of both. o The end-to-end architectural model focuses on all components in the end-to-end path of a traffic flow. Functional models are the most difficult to apply to a network, because we must understand where each function will be located. For example, to apply the end-to end model we first have to define where end-to-end is for each set of users, applications, or devices that will be a part of end-to-end. An advantage of using such models is that they are likely to be the most closely related to the requirements for the network. Basic concepts of remote access networks The remote access network also had some basic components. From a topological level, a remote access network consists of three network segments: o The user’s network is the point of origin of access requests. It can be a branch office network, or a home office consisting of a personal computer (PC) equipped with a modem. o The corporate network is the destination of the user’s traffic. The wide area network (WAN) enables the user to access the corporate network. The WAN covers a large geographical area and can be a public switched telephone network (PSTN), the Internet, or a private data network. It provides the switching and/or routing function required to get a remote connection from the user’s network to the corporate network. Figure 2.3 shows different size branch offices as they connect to the enterprise and to the Internet. Figure 2.3 Different size branch offices 20 5 We have labeled them as small, medium and large but this is a bit subjective. As the size of a branch increases, the number of routers (connections) increases, and also the issues number we have to consider are also increased. But anyhow, the figure gives us a clue of the two main implementation challenges we are facing for the branch design. First we must to provide features that would be needed for interaction with host in the public Internet, and second we must provide secure communication with the enterprise hosts. For the first category we should consider details for Internet access. For example, we should make DSL, or cable, or any other type of connection work. In the second category we must focus on options that allow an enterprise to prevent packets being read by attackers when they traverse the Internet. Such option is VPN as it allows the enterprise to trust packets coming from legitimate branch office. From the side of the enterprise the architecture may look like the one shown in Figure 2.4. However we could evolve this topology by dividing it into modules – data centers, campus, and WAN (MAN) as part of the enterprise edge. Below we will discuss in more details these modules which are interesting for this project. Figure 2.4 Typical Enterprise topology 21 The WAN and MAN module enables our enterprise to efficiently span over distant locations. QoS, service level agreements, and encompassing encryption help us to ensure security of high definition video, voice, and data services. With this module we enable employees to work efficiently wherever their location is. VPNs over Layer 2 and Layer 3 WAN, hub-and-spoke, or full-mesh topologies are used to provide the needed security. For the enterprise branch module we can use Cisco ISR (Integrated Service Router) as border router at the branches locations. ISR provides secure access to voice and video applications, and mission-critical data. It also supports features like advanced network routing, redundant WAN links, VPNs, local IP telephony call processing. The enterprise supports monitoring, management and configuration of the devices used at the remote offices. The teleworkers module allows us to securely deliver data services to small office/home office (SOHO) places. This also provides the enterprise workers with a flexible work environment. By using centralized management and integrated security we will minimize the support cost and mitigate the security challenges of the SOHO. 6 Teleworkers can gain access to authorized applications and services by logging in a secure always on VPN. Figure 2.5 Detailed Typical Enterprise Architecture 21 Figure 2.5 shows a more specific enterprise architecture structure. We are using it as a reference for a typical enterprise topology in which are revealed some of chosen solutions. As we can see the architecture is based on the Access/Distribution/Core topology. For WAN technology is chosen Frame Relay (FR). FR is a packet-switched WAN technology which is still in use in many enterprises. However, nowadays more and more used WAN technology is Multiprotocol Label Switching (MLPS). Service providers are deploying it very often as economical technology for carrying both circuit-switched and packet-switched network traffic, and MLPS can also operate over existing infrastructure (for example FR, ATM, IP, and Ethernet). Whereas FR is considered Layer 2 technology, MLPS is considered to be Layer 2.5 technology because it is situated between Layer 2 and Layer 3. The figure also reveals part of the equipment needed for the branch office implementation. In the section for examples we will show more detailed topology for branch offices. 2.1.2 Services Services are typically installed on one or more network servers to provide shared resources to end users. In the section bellow we have pointed out the network services that are applied in maybe every network implementation. Standard system services On a corporate network we usually use the following services: o DHCP (Dynamic Host Configuration Protocol) o DNS (Domain Name System) o File sharing o Authentication 7 o E-mail o Printing E-mail, printing and file sharing services require users to have permissions to access them – security and access right needs to be configured. It is usually done easily by using directory service which is also a network service. Also very important services of business nowadays are voice and video. We have to make sure to build a network that supports both voice and video with minimized jitter and delay. Backup services There are also services for backup management, disaster recovery and monitoring tools. Doing backups is critical for companies and we must not forget it. There are many ways we can create backup. We can make backups daily, weekly, or monthly. It depends on the particular company’s policies. Some of the methods for backups include the following: o Recording of critical business data to CDs/DVDs, flash memory, memory sticks, and others and storing them to secure storage place like safe with restricted access. o Using a software based product to perform the backup and store the data in restricted access area on a file server, ftp server, or a network storage device o If the backup is for remote user or remote branch office they could also sent the backup to the corporate network via secure connection where it will be stored on protected media. If cost is more of a concern in selecting backup solution, our company should implement open source solutions. One of the most commonly used open source software products for doing backups is The Advanced Maryland Automatic Network Disk Archiver (AMANDA); from disaster recovery open source software products more often are used Zmanda Recovery Manager (ZRM), Mandriva Linbox Rescue Server (LRS), and Bacula. Each one of them provides us the ability to create and control created backups and restore the desired system. Nevertheless, we will not discuss the network services used by enterprises in their networks in details because they are not the primary focus of this project. 2.1.3 Communication and integration An enterprise core network connects to the remote branch networks via WAN. We can choose from many existing options today for building the private WAN of an enterprise. These options include leased lines, Frame Relay, MPLS VPNs, and Metro Ethernet. Despite each is different in a way from the others they all have a common characteristic – they provide us with an inherently private path over which two of our enterprise routers can communicate with each other. If we are looking for a cheaper solution of the problem or just do not want to implement costly private WAN, we can select the site-to-site VPN for interconnecting the enterprise network and the remote branch networks. The security in site-to-site VPN is provided by using IPsec and GRE. In the following sections we will examine private WANs and site-to-site VPNs in more details. Private WAN We can use private WANs to connect and aggregate all of the corporate branches into the headend (or WAN core) router. From the side to the WAN cloud, the router interfaces support various physical transport methods, as shown in Figure 2.6. On the side to the campus core, typically is implemented Gigabit Ethernet (GE) or 10 Gigabit 8 Ethernet (10 GigE) that will be used for traffic between the campus core switches and the WAN. Figure 2.6 WAN Connectivity Options 19 We should also consider Metro Ethernet as main method for aggregating sites located at given geographical area. It scales also very well with trivial Gigabit Ethernet and 10 Gigabit Ethernet and is supposed to scale even more with the fairly new standards for 40 and 100 Gbps P802.3ba.. Figure 2.7 WAN aggregation topology 19 The most common way we can use for interfacing with the WAN cloud is leased lines. Nowadays Ethernet is more often the preferred solution and it is replacing the costly leased lines. Usually the functions for IPsec tunnel termination and firewall are not deployed on the WAN edge router. Usually the classical hub-and-spoke design with 9 traditional Layer 2 connectivity is used. Figure 2.7 shows a basic private WAN topology with branches aggregation In order to choose a router serving as the WAN aggregation platform we must outline basic requirements for the needed supported features (shown in Table 2.1 and Table 2.2). Based on how large the branch concentration is we may think of scale and performance for these services. It is good practice to choose a platform with separated control, data, and input/output plane. Table 2.1 Feature Requirements for WAN Aggregation Role 19 Table 2.2 Feature Requirements for WAN Aggregation Role (Cont.) 19 10 We will also have to install SLA (Service Level Agreements). Table 2.3 outlines the typical SLA requirements for converged WAN for voice, video, and types of data traffic we should meet. Table 2.3 SLA Requirements 19 We must also not forget the security the WAN. The traditional WANs (for example those based on Frame Relay) are assumed to be inherently secure but this is not completely true because SP (service providers) use shared physical infrastructure to carry this traffic. Table 2.4 Details for Securing WAN traffic 19 11 We can choose to use MPLS VPN in which the traffic is isolated by the Virtual Routing/Forwarding (VRF) labels and instances. But MPLS still shares the same physical infrastructure when passing the SP cloud. Common practice that we can also follow is to add encryption to achieve confidentiality. Table 2.4 shows the commonly used technologies to secure the WAN traffic. We must note that in most cases the transport medium for secure connectivity is the public Internet. Site-to-Site VPN As alternative to private WAN infrastructure we might use site-to-site VPNs to connect to branch offices. For VPNs we place the same requirements as for WAN – including high reliability, scalability, support multiple protocols, but we meet these requirements in a cost-effective manner with greater flexibility. Site-to-Site VPNs use as transport technology public Internet or service provider IP networks, by applying tunneling and encryption for achieving data privacy. We can use site-to-site VPNs to replace the costly WAN service or we can use it as backup and recovery in case of disaster: o WAN Replacement IPsec is able to provide cost-effective replacement for WAN infrastructure. We would have to pay less for a relatively high bandwidth IP connection than for existing or upgraded WAN circuits. We can use IPsec VPNs to connect the remote branches, teleworkers, and mobile users to the main resources in the campus network. Site-to-Site VPN has four key components: • Headend VPN device – serves as VPN headend termination device at the central campus • VPN access device – serves as VPN branch-end termination device at branch office locations • IPsec and GRE (Generic Routing Encapsulation) tunnels - Interconnect the headend and branch-end devices in the VPN • Internet services from ISPs – serve as the WAN interconnection medium o WAN Backup We can also use IPsec VPNs for backing up an operating WAN. In that case when the primary network connection is malfunctioning, our branch offices can rely on Internet VPN connectivity while the primary connection is fixed. Using IPsec VPN over a high-speed ISP connection, broadband cable, or DSL access can provide us with cost-effective secondary connection to remote offices. The maximum speed at which IPsec VPN can operate is determined by the overall physical interface connection speeds of both corporate and branch routers, because usually an IPsec VPN connection does not have bandwidth associated with it. We can use the Cisco ISR (Integrated Services Routers) as end routers for the site-to- site VPN connection. An ISR supports high-performance security features, rich VPN features with advanced firewall, and intrusion prevention. It also has extensive IOS software capabilities including QoS, multicast, multiprotocol, and advanced routing support. Figure 2.8 shows some best-case performance measures for individual security features but the performance numbers may differ in different production environments. 12 Figure 2.8 Performance metrics associated with the ISR series routers 9 There are several strategies for placing the VPN devices among which we can choose. We will go through them with details for advantages and disadvantages: o We can place VPN device parallel to a firewall (Shown in Figure 2.9). Figure 2.9 VPN device placed parallel to a firewall 9 The advantages in placing the VPN device parallel to the firewall are: • Deployment is simplified because we do not need to change firewall addressing • High scalability because we can deploy multiple VPN devices parallel to the firewall The drawbacks in placing the VPN device parallel to the firewall are: • IPsec decrypted traffic is not inspected by the firewall. This is a major concern if the passing traffic is not subject to a stateful inspection • We do not have implemented centralized point of logging or content inspection 13

Advise: Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.