Scaling for RAS

Companies today are moving toward the philosophy that data should be available anywhere and anytime . Users should be able to access resources from home, from hotels, and even from Internet cafes. Technologies such as Virtual Private Networks, wireless, and modems work together to allow users to access their data. Setting up basic remote access systems can be fairly straightforward. Scaling these systems is another situation entirely. Companies like AT&T support literally millions of users in their Remote Access systems.

Hardware Cryptographic Accelerators

VPNs are an amazing way to take advantage of the Internet as a backbone network for remote access. Windows 2003 offers support for both Point-to-Point Tunneling Protocol and Layer 2 Transport Protocol (with IPSec) as VPN technologies. Windows 2003 does a pretty good job of handling these services but as administrators attempt to scale this access to larger and larger numbers of users they quickly discover that the VPN takes up a fair amount of system resources. Rather than just add more and more RAS servers, a clever administrator can increase performance by using a hardware cryptographic accelerator. A cryptographic accelerator offloads encryption tasks from the CPU and performs them on dedicated hardware. This allows a RAS server to greatly increase the number of simultaneous connections it can service. This also allows administrators to enforce a higher level of encryption than they would have otherwise used because of performance constraints.

When to Make the Move from Software to Hardware

Many hardware RAS solutions on the market offer features and levels of performance not found in Windows 2003 Routing and RAS. One of the primary factors in moving to an appliance for remote access is to move away from a multipurpose operating system like Windows 2003 to a more dedicated operating system. Because RAS devices are often run parallel to the firewall the security of the system is of paramount performance. By eliminating the general purpose code these appliances are able to greatly mitigate their exposure to security exploits.

When looking at hardware VPN/RAS devices pay special attention to whether they support native VPN clients . Having the ability to use PPTP or L2TP/IPSec can be a great advantage in not having to purchase or manage a third-party VPN client.

Multiplexing for Modem Support

Companies that maintain their own dial-up services can take advantage or newer technologies to reduce their costs and maintenance efforts. When looking at adding analog lines for modems, always look into getting an aggregated line and a multiplexer. In many areas it is cheaper and easier to get a T-1 line than it is to get 10 analog lines. The T-1 is cheaper, takes up less space in the Intermediate Data Frame, and has the capacity for a total of 23 analog lines. Always work closely with the telecom group to see what facilities you already have in place and take advantage of them whenever possible.

Software modems take this concept to another level. By plugging a single T-1 into a Software Modem device the device creates up to 23 virtual modems that act exactly like physical modems. This is a more cost-effective modem solution and it takes up less space in the data center. Most ISPs use virtual modem technologies to support their dial-up users.

Taking Advantage of Multihoming Your Internet Connection

As companies become more and more dependent on their VPN environments they often look into making the VPN more resilient. Redundant VPN hardware is usually the first upgrade with things like bandwidth being second. Multihoming the Internet connection is an upgrade that is often overlooked. By attaching to multiple ISPs a company can protect against failures of their upstream providers. Additionally, by multihoming a network can become closer to other specific networks. For example, if a company had its Internet connection through one company and was using dial-up services through another, there is no guarantee as to the performance when going from one network to another. Traffic from ISP A will hit the Internet through a public access point as quickly as possible and eventually reach ISP B. From there it would reach the company's VPN system. By attaching the company's VPN system to ISP B as well (ISP B being the provider of the dial-up services with POPs in every city) there is a much more direct path back to the VPN system. This situation not only improves performance by reducing latency and hop count but it acts as a secondary route for Internet connectivity. Technologies such as BGP4 (Border Gateway Protocol) allow companies to be reachable via multiple ISPs without having to route only through the primary ISP. This allows a company to scale its VPN and RAS solutions through added capacity and added resiliency.