Network Computing Magazine's
Request For Proposal VPN
Organizational Description
Acme.com is a large electronics component manufacturer with several plants and sales offices located throughout North America and Europe. We're looking to lower our costs for connecting our remote sites, and leverage the Internet for connectivity. Currently we're using a mix of FT1, ISDN, and X.25 to interconnect the remote sites to the corporate network. We have 500 users that need to connect while on the road or at home, and that number is expected to swell to 1500 in the next 18 to 24 months. The users will be dialing in through various ISPs with which we don't have relationships.
Acme.com already has a WAN infrastructure in place with a heavy investment in equipment and infrastructure; changing that infrastructure would be disruptive and costly. If it needed to be changed, guarantees of service would need to be made during the changeover, as well as a reasonable reduction in current WAN connectivity costs.
We are beginning to acquire new companies, and we need to segment our network traffic and restrict non-essential personnel's access to traffic flows. Key departments are R&D, Personnel, Comptroller, Accounting and various strategic planning groups.
In addition to securing remote access for traveling users and remote sites, we also wish to protect internal departments.
Current layout:
Acme.com has three large sites (office headquarters) connected via frame relay pvc's (in New York, Paris, and London, see diagram) utilizing an IP network at each site. These sites are connected to the Internet via the New York office, which is firewalled with a Bastion for Web, FTP, and SMTP hosting to the Internet. Please advise on any networking issues that we need to address.
Fifteen branch sites connect FT1 and 56K X.25 lines through local service providers. Some of the users at some sites have access to the Internet, but most do not. This is likely to change over the next few years.
- 5 in the US
- 3 UK
- 3 France
- 2 Mexico
- 2 Canada
Please note: Diagram shows sites connected with leased lines. Smaller remote sites are connected via ISPs over the Internet.
We have 500 users needing dial-up remote access, expanding to 1500 in two years.
We also use EDI over X.25 with two large customers.
Monthly telecommunications costs (EST):
| T1 Frame relay between office headquarters | - | $5,889 |
| ISDN between branch sites and OHQ | - | - |
| - | Monthly charge | $1,050 |
| - | Per minute + long distance | $0.14 |
| Internet access | - | $2,030 |
| X.25/56Kbps | - | $1,090 |
| 500 remote access | - | $930 |
| Total | - | $10,989 |
Problem Description
While it's reasonable to assume that traffic over the pvc's is secure from spying, a few departments require tighter security: R&D, Accounting, and Personnel. Currently, these departments are protected by firewalls designed to admit access only from specific sites. We have a mixture of user databases and access methods in place: NT Domains, NDS, RADIUS. We are planning on moving to a single sign-on system for management in the next few years, so forward-looking integration is crucial.
We have R&D labs in New York and London, Detroit and Tampa, Toronto and Montreal, and Paris 2 connected via frame relay pvc (see network layout for details). These sites require the highest security available.
The remaining sales offices are connected via ISDN BRI to the central office. We would like to reduce long distance costs by connecting to local ISPs and securing the connection back to the New York office.
We have EDI connections with two of our largest customers, and they have shown willingness to partner with suppliers to build an IP-based VPN in lieu of the X.25 links currently in place. As this would mean massive restructuring of the partnership's current WAN infrastructure, we have not decided how we will deploy the VPN.
Objectives and Requirements
3.1 Provide user authentication within existing framework of NDS, NT Domains. All users have accounts in both of these environments.
3.2 Provide centrally-managed VPN security of distributed sites. Tiered management with separate access/auditing controls is highly desirable, but not required.
3.3 Ensure compliance with local encryption policies and foreign governments, and minimize weaker security policies.
3.4 Secure access between the following distributed departments. The security must be transparent to end users, and connections should be secured from network analysis and other passive attacks.
* R&D labs between New York, London, and Paris 2 sites. These departments own their subnets at each location.
* Personnel and Accounting departments between New York, London, Paris, both Mexico City sites, Montreal, Detroit, and Tampa. These departments own their subnets at each location.
* Sales offices must have secure communication back to New York.
* Remote users, primarily sales/marketing and executive personnel, connected via ISPs, will be using a mix of Windows 3.1/95/NT Workstation and Macintosh desktops and laptops.
3.4 Provide or demonstrate the ability to migrate the existing X.25 EDI links to a supply-chain VPN.
3.5 Train administrative/helpdesk personnel and support assistance for 30 days.
3.6 Consult with Acme.com, our customers, and our vendors on supply-chain VPN deployment.
Pricing
Please provide pricing information and notes with as much detail as possible. For software, provide estimated cost of hardware platform if applicable. Please follow the guidelines below for pricing as applicable:
4.1 Provide pricing on required hardware and software broken down by product and number.
4.2 Provide pricing on client licenses in addition to those required by this RFP.
4.3 Provide hourly costs for support in addition to the required 30 days.
4.4 Include telecommunications costs for leased lines and CPE equipment if applicable.
4.5 Include labor, supplies, and other applicable fees in price as well.
RFP/VPN Addendum:
Dear RFP/VPN Participant:
To follow is some additional information that may be needed to complete the RFP/VPN Proposal for Network Computing Magazine's July 1st issue.
1) What is/are the primary communications protocols used
throughout Acme's network?
IP/IPX
2) Are private IP addresses being used? If yes, where is NAT
being performed (which platform, device?)
The internal network is privately addressed. We use PAT, Port Address
Translation on the firewall for the devices coming in from the Internet.
Some users on the inside, notably sales and marketing, are able to get out
to the Internet via PAT through the firewall as well. In the future, we may
let more users have direct access to the Internet at some point, but
general access will be severely limited.
3) Does Acme have servers that the general public will need to
access? If yes, are these maintained in-house or through a service
provider?
These services, SMTP, HTTP, FTP, are in the DMZ (Bastian) of the firewall. They are maintained by us.
4) Does Acme's current EDI solution utilize TCP/IP?
Yes.
5) For the sites/depts. requiring "highest security possible":
-- are the primary file & print servers located within
the dept. or on a separate network segment (i.e. common
backbone)?
Section 3.4 defines the relationships as we see them. Sites in the first
two bullets are currently connected via dedicated links. These departments
talk to servers located on their own subnets, other servers on other
secured networks, and other servers (non-secured) located elsewhere and
controlled by those departments. In other words, accounting and personnel
need to be tied together (R&D as well) with transparent access between
remote departments while still talking to other non-secured servers. Some
access is granted to individual users located on the corporate LAN to those
servers with access control supplied by firewalls. The two last bullets are
for users and sites coming in over the Internet.
-- will users in these depts. require Internet access
(http/ftp etc.) or only inter-company communications?
They will need intercompany access to each others resources. They will not
have Internet access from the secured LAN.
6) Are the international offices (Paris, London, Mexico City) all 50%
or wholly-owned subsidiaries of Acme Co. (as opposed to being
foreign-owned subsidiaries)?
Wholly owned.
Please feel free to contact Mike Fratto, Associate Technology Editor, with any questions. He can be reached at mfratto@nwc.com or at tele. (315) 443-2231. Thank you.
Sincerely,
Mike Fratto
Associate Technology Editor
|
REPORTS
ANALYTICS
Follow 
