Embedded Files
If you're a Notes or Domino administrator, you probably worry about costs and security, especially if your network contains Domino servers in remote locations.
How can you keep such a network secure? You can connect the servers by dial-up phone lines of course, but your costs will probably be high and difficult to control, as users log in and out on a schedule that suits them, not your budget. You can also connect the servers with a WAN, which may give you higher speed at a cost you can control. But a WAN will probably be even more costly than phone lines.
That leaves the Internet, which is inexpensive and readily accessible from almost any part of the world. Nevertheless, many administrators would rather not take the security risk of exposing their Domino servers to the Internet.
Fortunately, there's an alternative: a Virtual Private Network (VPN), which combines the security of a Wide Area Network (WAN) with the ubiquity and inexpensiveness of the Internet. Will a VPN solve your problems? Before we answer that question, let's see what a VPN is.
Internet vs. VPN
Let's start by first taking a look at the Internet. The Internet is simply a huge TCP/IP network, not unlike the LAN or WAN that links the computers in your office. The Internet contains a huge number of fixed IP addresses that are assigned to specific computers, such as Web servers. These fixed addresses are in contrast to the dynamic IP addresses that are pooled by ISPs and assigned to users when they call in to the Internet. The ISP is assigned a set of fixed IP addresses, and when a caller dials in, an IP address from that pool is dynamically and randomly assigned to the caller.
Because the Internet is really a TCP/IP network, file servers can be networked together over the Internet just as they can be on a LAN or WAN. Simply provide a dedicated address for each server, perform some quick network configuration, and you have a LAN or WAN over the Internet.
For some businesses, such a network is an attractive option. They might have a central office with a large network (and an IS department to match), connected to small branches with local file servers. The branch offices may be too small to have their own administrators or to be part of a WAN, with a large WAN pipe entering every office. If a great deal of data is regularly transferred between offices, however, a phone line network will probably be quite expensive. But an Internet network solves these problems: you don't need dedicated administrators or a large WAN pipe in every office, and you certainly won't incur long-distance phone charges.
Of course, such a setup is too good to be true for one simple reason: security. No one in his right mind would expose his file servers to the Internet without taking serious security precautions. First of all, you need to make sure that the users or servers accessing your servers are legitimate. Even with such security precautions, any enterprising individual can intercept Internet transmissions. A packet sniffer placed near the source or destination of those transmissions can tell a whole lot you don't want told. Faced with such risks, most administrators may well regard the Internet as too risky to be a viable communications solution.
Security and affordability
But a VPN is different. It permits secure communication over the Internet by encrypting data transmissions. In addition, it acts as a firewall for the file server, protecting the server from undesired visitors. With such security measures, Internet communications will be as secure as WAN communications. In short, a VPN provides both security and affordability.
Many recent news stories have highlighted the cracking of encrypted data. These decryptions have generally taken several days and required hundreds of thousands of dollars of computing equipment. Since most hackers are looking for the easiest approach to obtain secure information, it's unlikely that they will have the patience or the resources to crack your Internet-transferred encrypted data. If you're transferring data that has a value greater than the costs of decryption (both in terms of financial and potential legal costs) to somebody, then the Internet is not a good solution for your company.
Most VPNs also provide tunneling, or the encapsulation of a network packet within an IP packet. So if your servers run Novell NetWare and use IPX/SPX instead of TCP/IP, they can still communicate over the Internet through a VPN. The IPX packets are simply placed inside IP packets, sent over the Internet, and removed from the IP packets at the destination. This is not really an extra security feature, though, as encapsulation is not the same as encryption.
You don't need costly network infrastructure. A WAN requires network routers at each site, in addition to dedicated lines. With a VPN on the Internet, however, those routers are, quite literally, somebody else's problem. This brings the costs of a VPN closer to those of a simple LAN rather than that of a WAN.
Of course, setting up a VPN requires some work. You'll need extra hardware (a VPN server at each location), and VPN software. If remote users will be calling in to the VPN, you'll have to configure their computers with VPN software as well. And you'll have to untangle the astonishingly confusing VPN marketplace, where vendors can't even agree on what a VPN is, much less on VPN standards. The number of vendors has proliferated dramatically, with everyone from small regional shops to big Internet providers getting in on the action.
Some vendors provide managed VPN solutions, so you can hire someone else to manage your VPN while you administer the Domino servers you truly care about. Before you hire someone to provide a VPN, be sure to look closely at the vendor's service record, because you'll be in bad shape if the vendor turns out to be unreliable or incompetent.
What about Domino?
Using a VPN to provide secure transmissions between Domino servers sounds great. But if you look a little closer, there are some problems.
One of the strongest arguments for using a VPN is that it encrypts data. However, Domino servers have their own encryption capabilities. Any port on a Domino server can be configured so that all traffic over that port is encrypted automatically. Indeed, only one port needs to be used. So if a remote Notes user happens to have disabled port encryption on his laptop when he dials into the Internet to replicate, the security of the transmission will not be compromised -- as long as one port on the server has been set to encrypt data.
Some administrators have been wary of using port encryption, perhaps because of rumors that it adds as much as 50 percent overhead to a server's activities. But these rumors are untrue. According to Lotus, port encryption increases processor overhead by no more than five to ten percent. If your Domino servers are running at 95 percent capacity without port encryption, it might make sense to use a VPN, rather than port encryption, to encrypt network traffic over the Internet. Then again, it would probably make more sense to upgrade your servers so that they aren't in danger of maximizing their processors.
You might argue that using a VPN in addition to native Domino encryption will double your security. In theory, that's true. But it will also degrade performance, not to mention adding another layer of authentication and administration -- more things that can go wrong. One layer of security should be enough.
Another point to keep in mind is that, by using a VPN, your Domino servers will no longer be connected directly to the Internet, which may seem like a security advantage. In reality, connecting your Domino server to the Internet to communicate with other Domino servers only requires exposing port 1352, which is used exclusively by the server, and so the security risk is minimal. Using the Internet tasks of the Domino server, such as HTTP and NNTP, require exposing additional ports, but these ports accept only certain commands, which means that the danger of exposing them, in my opinion, to the Internet is somewhere between small and negligible.
So the obvious advantages of using a VPN aren't so obvious in a Domino environment, and the security risk of having Domino servers communicate over the Internet turns out to be not such a security risk after all. This might lead you to a simple conclusion: you really don't need a VPN.
Not so fast.
Administration, not communication
While there's no compelling case for using a VPN for Domino server communications, the situation is different when you look at the need for remote Domino server administration. Here, the VPN truly does provide a sound value proposition in certain situations.
Domino administrators are a precious quantity, and a company with three sites (and three matching Domino servers) might well find itself in the position of being able to afford (or find) only one Domino administrator. In such a case, the Domino administrator faces the task of monitoring three servers in three different locations.
Of course, many Domino administration tasks can be performed within the Domino administration interface. For instance, administering groups in the Public Address Book is usually performed centrally at a site, and the remote server console can let an administrator issue server commands remotely with native Domino capacities. But establishing a VPN connection to a Domino server allows you to access the server not only through Domino, but also at a file level. As administrators know, this can be immensely helpful when troubleshooting. For instance, if you suspect the problem with the server is that the uninstall procedure for some other software has removed a needed Dynamic Link Library (DLL), you can simply replace the DLL on the remote server over the VPN [although tinkering with DLLs over a network is always a risky business and DominoPower does not recommend it. --DG]. If that remote Domino server distributes static HTML pages, you can administer those as well, even if the server is in a different country. You can even back up files over the VPN to a local server.
Remote administration capabilities can be extended even further with the use of remote administration software, such as PCAnywhere and Remotely Possible. Every seasoned Domino administrator has encountered a situation that can be cured only by restarting the Domino server or, in some cases, by shutting down and restarting Windows NT. While remote administration would be unfeasible over a Notes connection to the Domino server, remote administration software makes these tasks almost trivially easy. Other formerly daunting tasks, such as changing the size of a page file, also become astonishingly simple. In cases like these, the VPN has all the flexibility of machine access that a WAN offers, while sparing almost every expense associated with a WAN.
If you've considered the implications of all of this, you've probably already determined that a VPN provides the ability to offer your employees a Remote Access Service (RAS) solution over the Internet. Rather than maintaining modem banks on your RAS server, you would instead use a VPN setup. Then, your traveling users (with VPN-configured laptops) can dial into their ISP's local access number and establish a VPN connection to their home file servers, accessing the network just as they would in the office (OK, give or take 90 Mbs of speed).
So, indeed, VPNs can be quite useful to some Domino administrators. For some companies, typically installations with sizable user populations and administrators at every location, the value proposition for remote administration is negligible, and a VPN would be gratuitous. However, for companies with multiple sites without multiple administrators to match, a VPN might just be the thing.
Plan ahead
While there are definitely compelling reasons for some administrators to use a VPN, a final word of caution is in order. The Internet is overused. Whereas a few years ago reasonably high-speed connections could be guaranteed almost regularly over the Internet, that is no longer the case. And whether you're using a VPN or native Domino port encryption, encrypting data does nothing to increase the speed of data flow but does plenty to increase the amount of time required to transmit the data. For many companies, this may be irrelevant due to the non-urgent nature of their data flow. But for some companies, the unreliability of the Internet is a problem too big to ignore. And if you're administering a server remotely, you may be less than amused as you troubleshoot a problem in slow motion.
There are a huge number of companies providing VPN products. While Lotus has never claimed to provide a VPN infrastructure in Domino, in reality Domino contains a subset of that functionality -- a subset that may be sufficient to meet the needs of many administrators. Before picking a solution for networking Domino servers at your remote locations, determine what your needs really are, and the answer to the question "Do I need a VPN?" should become clear.
Page updated
Google Sites
Report abuse