13.5 Centralized Extranet VPN

The centralized extranet differs from the dedicated extranet by providing more restricted communications between sites. Instead of any-to-any communications, the centralized extranet allows data exchange between a central site and the allowed remote sites. In this implementation, the remote sites do not exchange data with each other; instead, they exchange data only with the central site. This implementation is like the traditional hub-and-spoke overlay model. There is one central site or hub and several remote sites or spokes. The spokes sites do not talk to each other; rather, they talk to the hub only. Centralized extranet VPNs exist because they are an effective way to allow secure data exchange between a central site and many remote sites. This security feature comes from the fact that, in this implementation, the policy defined in the software configuration will control which sites will be able to access the hub's, or central site's, data. Any site does not have carte blanche to access any other site; instead, access is limited to one location. Figure 13-7 shows an application that might be used with this implementation. In this example, the hospital CE router is the central site, and the drug, linen, and medical equipment companies are the remote sites. Data exchange would be allowed between the drug company and the hospital, and between the linen company and the hospital, but not between the drug company and the linen company.