Consolidation of remote offices into a single network. Consolidation of networks of remote offices. Mikrotik networking

Suppose we have 2 offices in different parts of the city, or in different cities or countries, and each of them is connected to the Internet through a fairly good channel. We need to link them into a single local network. In this case, none of the users will guess where this or that computer or printer is located on the local network, use printers, shared folders and all the advantages of a physical network. Remote employees connected via OpenVPN will also be able to work in the network, as if their computers are on the physical network of one of the offices.

We will configure it in the Debian Squeeze operating system, but the instructions are fully applicable to any distribution based on Debian, and with minor changes in the commands for installing and configuring the bridge and OpenVPN, it will be applicable to any Linux or FreeBSD distribution.

Suppose Debian or Ubuntu distribution is installed by one of the instructions :,

Install and configure a VPN network based on OpenVPN using a bridge tap0

Create a network bridge between the physical network eth1 and virtual interface tap0

Install the necessary programs by agreeing to the request of the package manager:

We configure the server network based on the fact that we have 2 network cards: network eth0 eth1 br0

Editing the configuration file / etc / network / interfaces:

Auto lo iface lo inet loopback # internet provider auto eth0 iface eth0 inet static address 192.168.50.2 netmask 255.255.255.0 gateway 192.168.50.1 # local network auto eth1 iface eth1 inet static address 10.10.10.1 netmask 255.255.255.0

Auto lo iface lo inet loopback # Register the bridge, turn on the VPN interface tap0 and the network card eth1 auto br0 iface br0 inet static # Add the openvpn interface bridge_ports eth1 tap0 address 10.10.10.1 netmask 255.255.255.0 # Internet auto eth0 iface eth0 to the bridge tap0 inet static address 192.168.50.2 netmask 255.255.255.0 gateway 192.168.50.1

After that, when executing the ifconfig command, a bridge should appear br0 with IP 10.10.10.1, interface eth0 with IP address 192.168.50.2 and interface eth1 without an IP address, since it is in the bridge br0

Configuring OPENVPN:
Copy the scripts for configuring our openvpn server with the command:

Cp -Rp /usr/share/doc/openvpn/examples/easy-rsa/2.0/ / etc / openvpn / easy-rsa

Making changes to the file / etc / openvpn / easy-rsa / varsto define global variables and enter less data when creating keys:

Vi / etc / openvpn / easy-rsa / vars

Export KEY_COUNTRY \u003d "US" export KEY_PROVINCE \u003d "CA" export KEY_CITY \u003d "SanFrancisco" export KEY_ORG \u003d "Fort-Funston" export KEY_EMAIL \u003d ""

Export KEY_COUNTRY \u003d "UA" export KEY_PROVINCE \u003d "11" export KEY_CITY \u003d "Kiev" export KEY_ORG \u003d "NameFirm" export KEY_EMAIL \u003d ""

Go to the folder with scripts for creating certificates and keys with the command:

Cd / etc / openvpn / easy-rsa /

We initialize PKI (Public Key Infrastructure) with the commands:

... ./vars ./clean-all

Attention. When executing the command ./clean-allall existing certificates and keys of both the server and clients will be deleted, therefore do not run on the production server, or do it after saving the folder / etc / openvpn /to the archive with the command:

Tar cf - / etc / openvpn / | gzip -c -9\u003e /home/openvpn_backup.tgz

We generate a Certificate Authority (CA) certificate and key with the command:

./build-ca

Most of the parameters will be picked up from the vars file. Only the Name parameter must be specified explicitly:

Name: vpn

In general, you can fill in all the fields as you need each time.

We generate the Diffie-Hellman parameters with the command:

./build-dh

We generate a certificate and a private key of the server, do not enter anything when prompted for a password, and when prompted Sign the certificate?: we introduce y and press Enter by running the command:

./build-key-server server

All parameters are accepted by default. On request Common Name introduce server

Common Name (eg, your name or your server "s hostname): server

Questions Sign the certificate? and 1 out of 1 certificate requests certified, commit? we answer positively:

Sign the certificate? : y 1 out of 1 certificate requests certified, commit? y

It remains to create certificates and keys for clients. First, we initialize the parameters:

Cd / etc / openvpn / easy-rsa /. ./vars

Create keys for the user server1... For example, add as many users as needed:

./build-key server1 ./build-key client1 ./build-key client2

Based on the fact that we have a network 10.10.10.0/24 we immediately allocate a pool of addresses for office 1 computers - 10.10.10.40-149 , for office 2 we allocate a pool of addresses 10.10.10.150-254 and allocate a pool of addresses for remote employees 10.10.10.21-39.
Create a folder / etc / openvpn / ccd / where we indicate to which client which ip with the command:

Mkdir -p / etc / openvpn / ccd /

We assign each client its own IP in the network with the commands:

Echo "ifconfig-push 10.10.10.150 255.255.255.0"\u003e / etc / openvpn / ccd / server1 echo "ifconfig-push 10.10.10.21 255.255.255.0"\u003e / etc / openvpn / ccd / client1 echo "ifconfig-push 10.10.10.22 255.255.255.0 "\u003e / etc / openvpn / ccd / client2

Create a server configuration file:

Vi /etc/openvpn/server.conf ################################# port 1195 proto udp dev tap0 ca easy-rsa / keys / ca.crt cert easy-rsa / keys / server.crt key easy-rsa / keys / server.key # This file should be kept secret dh easy-rsa / keys / dh1024.pem mode server tls- server daemon ifconfig 10.10.10.1 255.255.255.0 client-config-dir / etc / openvpn / ccd keepalive 10 20 client-to-client comp-lzo persist-key persist-tun verb 3 log-append /var/log/openvpn.log # script-security 2 # uncomment when working on OpenVPN version from 2.4 up /etc/openvpn/up.sh ########################### ######

Vi / etc / default / openvpn

OPTARGS \u003d ""

OPTARGS \u003d "- script-security 2"

Create a script /etc/openvpn/up.sh which starts when the OpenVPN server starts:

Vi /etc/openvpn/up.sh #! / Bin / sh brctl addif br0 tap0 brctl addif br0 eth1 ifconfig tap0 0.0.0.0

We give permission to execute the script /etc/openvpn/up.sh command:

Chmod + x /etc/openvpn/up.sh

After that, restart the OpenVPN server with the command:

We execute the command ifconfig, the interface should appear tap0 without an IP address.

We collect an archive with keys for distribution to remote employees and sending to office 2

Create folders with usernames with the commands:

Mkdir -p / etc / openvpn / users / server1 mkdir -p / etc / openvpn / users / client1 mkdir -p / etc / openvpn / users / client2

Create a folder with archived keys with the command:

Mkdir -p / etc / openvpn / users_tgz

We collect keys and certificates from user folders with the commands:

Cp /etc/openvpn/server/easy-rsa/keys/server1.key / etc / openvpn / users / server1 / cp /etc/openvpn/server/easy-rsa/keys/server1.crt / etc / openvpn / users / server1 / cp /etc/openvpn/server/easy-rsa/keys/ca.crt / etc / openvpn / users / server1 / cp /etc/openvpn/server/easy-rsa/keys/client1.key / etc / openvpn / users / client1 / cp /etc/openvpn/server/easy-rsa/keys/client1.crt / etc / openvpn / users / client1 / cp /etc/openvpn/server/easy-rsa/keys/ca.crt / etc / openvpn / users / client1 / cp /etc/openvpn/server/easy-rsa/keys/client2.key / etc / openvpn / users / client2 / cp /etc/openvpn/server/easy-rsa/keys/client2.crt / etc / openvpn / users / client2 / cp /etc/openvpn/server/easy-rsa/keys/ca.crt / etc / openvpn / users / client2 /

We create configuration files based on the fact that server1 is remote office server 2, and client1 and client2 these are remote employees connecting to the VPN network from outside from Windows.

Instead of IP-SERVER-VPN, put the external IP address of the OpenVPN server.

Create an OpenVPN configuration file for server1:

Echo "remote IP-SERVER-VPN 1195 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert server1.crt key server1.key comp-lzo verb 4 mute 20 verb 3 log-append / var / log / openvpn.log up /etc/openvpn/up.sh "\u003e /etc/openvpn/users/server1/server1.conf

Archiving keys for server1 command:

Tar cf - / etc / openvpn / users / server1 | gzip -c -9\u003e /etc/openvpn/users_tgz/server1.tgz

client1:

Echo "remote IP-SERVER-VPN 1195 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 4 mute 20 verb 3"\u003e / etc /openvpn/users/client1/client1.ovpn

We archive the keys for client1 with the command:

Tar cf - / etc / openvpn / users / client1 | gzip -c -9\u003e /etc/openvpn/users_tgz/client1.tgz

We create a configuration file for client2 command:

Echo "remote IP-SERVER-VPN 1195 client dev tap0 proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client2.crt key client2.key comp-lzo verb 4 mute 20 verb 3"\u003e / etc /openvpn/users/client1/client2.ovpn

Archiving keys for client2 command:

Tar cf - / etc / openvpn / users / client2 | gzip -c -9\u003e /etc/openvpn/users_tgz/client2.tgz

Configuring VPN server office 2

In the instructions above, we installed and configured the VPN server on Debian GNU / Linux using OpenVPN, we created keys with certificates for the remote office 2 server and remote employees. Now we need to connect office 1 with office 2 into a single local network via VPN.

Suppose that in office 2 we have installed and configured a Linux server (gateway) that distributes the Internet channel for office 2 employees. This server has 2 network cards: eth0 is the ISP and eth1 - local network, it will be included in the bridge, and will have a pool of addresses 10.10.10.100-254

We need to install the software with the command:

Aptitude install bridge-utils openvpn

Setting up the server network

We configure the network based on the fact that we have 2 network cards. eth0 - receives the Internet from the provider and through it office 1 goes to the Internet, as well as the network eth1 - included in the switch of the local network of office 1, it will be included in the bridge with the interface br0

Editing the configuration file / etc / network / interfaces:

Vi / etc / network / interfaces

Auto lo iface lo inet loopback # internet provider auto eth0 iface eth0 inet static address 192.168.60.2 netmask 255.255.255.0 gateway 192.168.60.1 # local network auto eth0 iface eth0 inet static address 192.168.1.1 netmask 255.255.255.0

Auto lo iface lo inet loopback # We register the bridge, turn on the VPN interface tap0 and the network card eth1 auto br0 iface br0 inet static # Add the openvpn interface bridge_ports eth1 tap0 address 10.10.10.150 netmask 255.255.255.0 # Internet auto eth0 iface eth0 to the bridge tap0 inet static address 192.168.60.2 netmask 255.255.255.0 gateway 192.168.60.1

We save the changes and reboot the network with the command:

/etc/init.d/networking restart

After that, when executing the command ifconfig a bridge should appear br0 with IP 10.10.10.150 , interface eth0 with IP address 192.168.60.2 and interface eth1 without an IP address, since it is in the bridge br0

For computers in office 2, we issue computers with IP addresses without going beyond 10.10.10.150-254 where 10.10.10.150 is the IP address of the office server 2.

Upload the collected archive of OpenVPN keys from the VPN server of office 1 to the server of office 2 with the command:

Ssh -P22 /etc/openvpn/users_tgz/server1.tgz: / root /

Or, if server1 of office 2 does not have a permanent or dynamic IP, we will merge the keys from the VPN server of office 2 with the command:

Ssh -P22: /etc/openvpn/users_tgz/server1.tgz / root /

To request a password - enter the user's password root , after entering the correct password, the archive with the keys is downloaded to the folder /root/server1.tgz

Unpack the contents of the archive ( only key files without folders) /root/server1.tgz to folder / etc / openvpn /

Allow OpenVPN to run scripts:

Vi / etc / default / openvpn

OPTARGS \u003d ""

OPTARGS \u003d "- script-security 2"

Create a script /etc/openvpn/up.sh which starts when the VPN client connects to the VPN server:

Vi /etc/openvpn/up.sh #! / Bin / sh brctl addif br0 tap0 brctl addif br0 eth1 ifconfig tap0 0.0.0.0 chmod + x /etc/openvpn/up.sh

Restart the OpenVPN server with the command:

/etc/init.d/openvpn restart

When executing the command ifconfigthe interface should appear tap0 without an IP address.

Now you can ping computers of another office from both offices, use shared folders, printers, resources of another office, and also arrange game battles between office 1 and office 2 :)

To check the interfaces connected to the bridge, run the command:

Brctl show

System response:

Bridge name bridge id STP enabled interfaces br0 7000.003ds4sDsf6 no eth1 tap0

We see our local network card eth1 and the OpenVPN virtual interface tap0

The task is completed, two remote offices are connected to one local network.

If the article was useful to you, share it with your friends by clicking on the icon of your social network at the bottom of this article. Please comment on this manual, did you like it, did it benefit you? You can also subscribe to receive notifications about the release of new articles to your mail on the page

And now let's take a little break and have a rest for half a minute, raising our spirits for more productive work, watch the video and smile:

Contact a specialistGoryainov Denis Technical Director +79851256588 Ask a question

Combining two or more local networks

Networking Tasks:

1. to establish fast, safe and reliable information exchange between several remote offices and branches;

2.Connect mobile employees to the local network, ensuring security connections ;

3. to create a single telephone channel for the branches to save and control costs, ease of switching;

4. create a centralized Internet channel and traffic distribution between branches;

5. take control of the "center" of remote offices.

If you need to solve these problems, the service from ZSC will allow your company to connect all remote branches and employees.

Connecting local networks

When companies need to unite several branches and offices, today it is no longer enough for a contractor to simply set up a centralized local network and establish information exchange.

The client needs complex solution from:

  1. a single telephone channel;
  2. managed internet traffic;
  3. the possibility of automated control and remote technical support branch computers and servers;
  4. free access for remote employees to corporate information.

At the same time, a high degree of security of all these information flows must be ensured.

Today a service for the client local area networks required “under key »- the contractor must carry out each stage of the work independently, with the minimum participation of the customer. As a result, the client needs to provide a centralized branch office management system with all the necessary IT components and control and support tools. We are not talking about a simple VPN - we are talking about virtual unification of remote offices to the "physical" level.

It should not be forgotten that the project combining two or more local networks must be economical, otherwise all of it positive result would be unprofitable.

If you need to accomplish such a merger of branches and remote offices or implement any of its components (unified telephone network, balanced Internet traffic), we are open for cooperation. With vast experience and high qualifications in the digital technology market, we are ready to offer you the most effective and cost-effective option, focused on the specific needs of your business.

Network aggregators

The specialists of our company ZSC work with equipment of any manufacturer. If you have your own routers, we will configure them to connect local networks of remote offices.

Mikrotik networking

In our practice, we use professional equipment from Mikrotik(more economical and popular solution) and Cisco (more expensive and functional solution).

Using the example of Mikrotik equipment, we will analyze the technologies for combining local networks. Despite the relatively low market value compared to analogues, the Mikrotik software platform allows you to configure flexible, secure and functional information exchange channels. The equipment of this manufacturer has proven itself perfectly on our numerous projects and in offices clients. In addition, Mikrotik allows serious budget savings.

Mikrotik routers support up to seven protocols for securely sending information, which is encrypted as separate packets with a second IP header. This header includes the IP address of the recipient and the IP address of the sender. When trying to intercept information, the fraudster sees only this information, while it is impossible to determine the source computer and the destination computer. In case of information leakage, it will take too long to decipher the code, and it is not a fact that it will work out yet. Other options for secure information transfer are also used.

Security protocols:

more details

PPTP(tunnel point-to-point protocol) - used to build dedicated networks on top of open ones. It features high performance, a variety of encryption options and the ability to use various software platforms.

L2TP- Unlike PPTP, it has higher fault tolerance and more reliable security. It is used both for building closed networks within open ones, and for accessing a corporate network from remote devices, as well as for using a variety of connection schemes.

IP2IP- encrypts information in packets and assigns it a separate IP for reliable transmission to the addressee. It is used to build tunnels between routers via the Internet.

PPPOE- works by analogy with PPTP, but is a simpler and less resource-intensive solution.

IPSec- one of the most reliable options for building a closed tunnel. In addition, the information is encrypted; individual keys must be used for reading. This provides a high, two-layer security for data transmission.

VLAN- provides the creation of logical high-speed secure tunnels, which in terms of security are close to the "physical" transmission of information, for example, inside the office through cables.

EoIP- organizes the transparent integration of remote offices and branches over the created virtual channels. Allows you to flexibly configure Internet traffic, individual security policies, balancing and settings for remote branches. To use EoIP, a sufficiently wide bandwidth is required, since the protocol takes up to 15% of the traffic for control.

The combination of different security protocols allows you to build flexible, secure and reliable communication channels and meet specific business needs. If you need maximum security, the IPSec protocol is suitable, and if you need a simpler channel for transmitting encrypted information - PPTP, L2TP, or IP2IP. VLAN and EoIP can be the choice for organizing transparent and controlled logistics of information between branches and offices.

The cost of combining two or more local networks

Provide a unified price list with unambiguous prices for combining two or more local networksthat would apply to all projects is impossible. In the final calculation, a lot depends on the tasks, business needs, the amount of work, the number of Ethernet outlets, the length of the cable, and much more.

However, there are several basic indicators that apply to certain types of work:

Type of work

Units

Price, rub.)*

Installation of a cable channel

m.

120

Cable installationUTP ( cat 5 e) taking into account the group laying

m.

44,48

Installation of corrugations taking into account fastening

m.

Mounting the socketRJ-45

pC.

200

Cable marking taking into account the marked materials

pC.

Installation of CCTV cameras,Wi- Fi points, etc.

pC.

1500

Testing the line for the presence of contact ("ringing")

pC.

Structured system design work

sq. m.

Installation of network equipment

pC.

400

Actual on 16.02.2017 (excluding VAT)

Our specialists and designers are able to create project of combining two or more local networks of any complexity and scale, for specific business needs, to coordinate it with the customer and implement it on a turnkey basis.

Connecting computer networks - how we work:

  • we get the initial data, settings and security policies that work within your company;
  • we integrate them with the settings of the router, we configure the equipment according to the requirements you need;
  • we send the configured router to the remote branch (office) and connect it;
  • we carry out commissioning ;
  • we provide you with a turnkey solution - combining two or more local networks.

For you - everything is elementary simple! And on our side we have vast experience, high qualifications and dozens of completed projects. And all this allows us to work quickly, efficiently and with serious budget savings without compromising quality.

And if you are our client of a complex subscription service for Premium, then this service is provided for you free of charge (only equipment is paid for)!

Let's take a closer look at the individual components of a comprehensive solution "Combining two or more local networks".

Telephony between remote offices

Task : to create a single telephone network with "short" subscriber numbers in remote branches, to ensure cost savings when making calls and control the use of telephone lines, to connect mobile employees to the telephone network, to introduce a single number.

When we connected with a common network Ethernetcentral and remote offices, we have thus formed a single information space. Any data can be transferred inside this space: files, video content, voice content and other information. The most massive segment of information that is transmitted within the company is server data; in second place in popularity - voice and video content.

A single local network allows you to configure equipment in such a way that employees, who can be separated by thousands of kilometers, are in the same office.

Stationary employees

To build a single telephone network between the branches and the "center" it is necessary own digital office PBX, which is installed in the central office. And in branch offices, IP phones are connected, for which IP addresses are configured as if it were a network of one office. The PBX and the remote phone identify each other, after which we assign a "short" number for the remote office. Everything happens as if we just added a new employee at the headquarters.

As a result, your employees begin to work in a single space, no matter how far they are from each other. When an incoming call arrives at the PBX, the telephone exchange "thinks" that you are in the same network and forwards the call, and it is distributed in another city or even country. This provides high level data transmission - communication is carried out through secure encrypted tunnels.

Mobile employees

Mobile employees can also be connected to the company's unified telephone network. To do this, they need to use telephones that support tunneling. An encrypted tunnel is configured inside the smartphone, which "rises" when the phone is connected to wi-Fi networks and is authorized through the prescribed settings from the central PBX in your office.

As a result, your mobile employee enters the corporate telephone network, may have a "short" number for quick switching and use favorable rates to make and receive calls that are configured on your central office.

Advantages of unified telephony between branches:

  • flexible configuration of internal call routing;
  • the ability to use multiple operators and tariffs;
  • the ability to use a single telephone number with subsequent forwarding to branch numbers;
  • significant savings in telephony costs;
  • centralization and control over incoming and outgoing calls.

Among these and many other advantages of a telephone network between remote branches, there are two main ones that have made this service so in demand today: the first- use of multichannel numbers; and, second- savings on telephony costs.

Due to the multichannel nature, calls are comfortably distributed between remote offices. It is enough to simply set up the voice menu so that the client can call a single number and connect to a specific region, city, office or division.

Cost savings are provided by logical routing between several operators that are connected to a single PBX in the central office ... That is, it is enough to correctly configure a telephone exchange in the head office once, connecting several operators to it, in order to reduce telephony costs for the entire branch network of offices. For example, all calls within Russia are made through one IP telephony operator. Analogue calls in Moscow go through unlimited city lines, and long distance calls through a third SIP telephony operator. And so - for each separate type of communication: incoming / outgoing, calls within Russia, within the region, city, long-distance and international calls, from landline and mobile phones.

Our clients, in complex configurations, have from 2 to 5 telecom operators, which ensures the most optimal spending. They need to monitor the correct operation of only one central equipment in order to actually serve dozens of offices and not spend tens of thousands of rubles on the illiterate waste of telephone traffic.

More details about this service can be found in the "Office PBX" section. Find out here exactly how much a company can save by using a central office.

Internet networking

Task : Provide stable, uninterrupted internet traffic at a remote office or branch

When a company has a small branch in another city, its effective work is associated with a constant and stable Internet connection and all business processes stop as soon as the connection is cut off, it is imperative reserve internet channels.

Using modern equipment from MikroTik and Cisco, we are able to ensure that the customer's business processes do not stop and remote branches constantly receive a stable Internet.

Balancing Internet channels of remote offices - what is it?

To accomplish this task, we set up the channels of the primary and backup ISPs. In this case, the reserve can be either a terrestrial additional channel or a more economical channel. mobile operators (Beeline, MTS, Megafon, Yota, Tele2).

In case of failure of the main, as a rule, more powerful one, the channel is automatically switched to the backup channel. With such a switch, the equipment is re-authorized, and in backup channel a tunnel is being raised for secure encrypted data transmission. You must first authorize the equipment in such a way that it is possible to balance between the two Internet channels, depending on their availability.

For the end user, no changes will occur - he will simply continue to use the Internet, which will be temporarily supplied via a backup channel. And our automated system monitoring receives this data, specialists see the information and send a request to the provider of the main channel to fix the problem.

We urge our clients not to save on the backup channel, since the cost of using it (up to 1,000 rubles, depending on the region) will be significantly lower than possible business losses due to interruptions in the only Internet channel.

There are also more complex schemes for balancing the Internet channels of remote offices. For example, Cisco has developed and implemented GRE tunnels. They are familiar tunnels, but the GRE header is overlaid on top of the standard IP packet. Such tunnels allow performing domain authorization within the network.

The balancing option for the Internet channel depends on the specific needs of the customer.

Local networks between remote offices can be used for other connection options, for example, for video conferencingensuring uniform security policy and much more.

We, for our part, are able to ensure such a consolidation of the client's branch network so that his IT infrastructure works without interruptions, so that his business processes do not stop - we are ready to provide you unprecedented resiliency all components.

In many organizations with several branches, it becomes necessary to combine local networks of offices into a single corporate network. Connecting networks will increase business efficiency and reduce the costs associated with the remoteness of offices. Networking remote offices of the company allows you to solve the following tasks:

  • Work of employees of all offices in a single database (for example, 1C)
  • Providing access for remote employees to shared corporate resources of the company via the Internet (remote access to the network)
  • Fast and convenient data exchange between employees of remote offices

Connecting networks is carried out via public Internet networks, in view of this, the issue of security of the interconnection of networks and the confidentiality of transmitted information arises. VPN (Virtual Private Networks) technology is used to securely and securely connect the two networks over public communication channels.

VPN setup (Virtual Private Networks)

VPN setup (Virtual private networks) between company offices (network interconnection) provide encryption of transmitted data. Depending on the needs of the customer and the existing IT infrastructure, a VPN network can be created on the basis of a software or hardware complex. A fairly common way to create a VPN network is to configure a VPN based on software package, which, in addition to implementing a VPN network, can serve as a firewall and filter network traffic.

Remote access to a computer

The main goal of combining local networks of offices is to provide transparent access to geographically distributed information resources of the organization. Consolidation of office networks allows to solve the following, the most common tasks:

  • use a single numbering capacity of the office PBX;
  • ensure user authorization to access resources (shared folders, intranet site, email etc.) regardless of their current location;
  • to provide secure access for employees of the organization to resources located in different offices (for example, to ensure that employees work with the 1C-enterprise server installed in one of the offices);
  • work on a remote computer using terminal access (remote desktop control);
  • increase the efficiency and responsiveness of the technical support service due to the ability to remotely manage computers, servers and other equipment, as well as the effective use of built-in Windows tools to provide assistance - Remote Assistant.

Methods for implementing the integration of office networks

In order to unite local networks of offices and remote branches, the technology of virtual private networks - VPN (Virtual Private Network) is used. This technology is intended for cryptographic protection of data transmitted over computer networks... A VPN is a collection of network connections between multiple VPN gateways that encrypts network traffic. VPN gateways are also called cryptographic gateways or crypto gateways.

There are two methods of building a single secure corporate network of an organization:

  1. using equipment and an appropriate set of services of an Internet provider;
  2. using our own equipment located in the head office and branches.

VPN and services are provided by the internet provider

This solution is applicable if the head office and branch offices are connected to the Internet through the same ISP. If the branches of the company are scattered throughout the cities, and even in different countries, there is hardly a provider who can provide you with the required level of service, and even for reasonable money.

If your offices are located within the same city, check with your Internet provider if they can provide the interconnection of the local networks of your offices into a single network. Perhaps this solution will be optimal for you in terms of cost.

Consolidation of networks of offices and branches on their own

The method of combining two networks using VPN technology is called "Peer-to-Peer VPN" or "site-to-site VPN" in the English-language literature. A "transparent encryption" mode is established between the two networks. For encryption and transmission of traffic in IP networks, the IPSec protocol is most often used.

To organize VPN connections (VPN tunnels) between the central office and branch offices of small companies, we recommend using hardware Internet gateways (firewalls) with built-in VPN support. An example of such gateways can be ZyXEL ZyWALL, Netgear Firewall, Check Point [email protected] , etc. This product class is designed for use in small companies with average number staff from 5 to 100 people. These devices are easy to configure, have high reliability and sufficient performance.

Organizations' headquarters often install software-based integrated network security solutions such as Microsoft Internet Security and Acceleration Server 2006 (Microsoft ISA 2006), CheckPoint Express, CheckPoint VPN-1 Edge, and others. To manage these protections, highly qualified personnel are required, which, as a rule, are either available at the head office or borrowed from the outsourcing company.

Regardless of the equipment used, the general scheme for constructing a Peer-to-Peer VPN for securely combining local networks of remote offices into a single network is as follows:

It should also be noted that there are specialized hardware crypto-gateways, such as Cisco VPN Concentrator, Continent-K, and others. Their area of \u200b\u200bapplication is medium and large companieswhere you need to provide high performance encryption of network traffic, as well as accessibility. For example, to provide data encryption in accordance with GOST ("Continent-K").

What you need to pay attention to when choosing equipment

When choosing equipment for organizing a virtual private network (VPN), you need to pay attention to the following properties:

  1. the number of simultaneously supported vpn tunnels;
  2. performance;
  3. the ability to filter network traffic inside a vpn tunnel (this function is not implemented in all Internet gateways);
  4. qoS quality management support (very useful when transmitting voice traffic between networks);
  5. compatibility with existing equipment and applied technologies.

Hardware solutions

Benefits of solutions built on low-cost hardware Internet gateways

  • Low cost;
  • High reliability (no need for backup, nothing breaks down when the power is turned off);
  • Ease of administration;
  • Low power consumption;
  • Takes up little space, can be installed anywhere;
  • depending on the chosen platform for building a VPN, it is possible to install additional services on the vpn gateway: anti-virus scanning of Internet traffic, detection of attacks and intrusions, etc., which significantly increases general level network security and reduces the total cost of the solution comprehensive protection networks.

disadvantages

  • The solution is not scalable, the increase in performance is achieved by a complete replacement of equipment;
  • Less flexible in settings;
  • Integration with Microsoft Active Directory (or LDAP) is generally not supported.

Software solutions

Benefits of software solutions

  • Flexibility;
  • Scalability, i.e. the ability to increase productivity as needed;
  • Tight integration with Microsoft Active Directory (Microsoft ISA 2006, CheckPoint)

disadvantages

  • High price;
  • Complexity of administration.

Where to begin

Before purchasing a selection of hardware and software (hereinafter referred to as software) for the implementation of a project to integrate local networks of offices into a single network via VPN, you must have the following information:

  1. Define topology:
    • Meshed - each site can automatically establish an encrypted connection with any other site;
    • Star - Affiliates can establish secure connections to the central site;
    • Hub and Spoke - Branches can connect to each other through the hub of the central site;
    • Remote Access (remote access) - users and groups can organize secure connections to one or more sites;
    • Combinations of the above methods (for example, a Star with Meshed Center topology, in which branch offices can communicate with all members of a central VPN that has a fully meshed topology).
  2. Number of branches (how many concurrent VPN connections the head office equipment should support);
  3. The number of users in the central office and in each branch;
  4. What equipment and / or software is used in each branch (data is necessary to take into account the possibilities for using existing equipment and / or software);
  5. Data on connecting branches to the Internet: IP address assignment - dynamic or static, communication channel speed;
  6. Which approach to information security management (network perimeter protection, anti-virus security) will be applied: centralized management of the head office and branches by one security administrator (system administrator), or each branch has its own system administrator.

To minimize threats of penetration into the network of the central office, it is necessary to pay due attention to the protection of the networks of the branch offices. Using a VPN does not guarantee reliable protection against intrusion unless branch networks are also well protected. If an attacker can gain unauthorized access to the branch office network, then he can also gain access to information system the head office, since the head office and branch networks are combined into a single network via VPN.

Exchange of data between remote divisions of the same organization always requires time and sometimes complex technical manipulations. Today, such inconveniences are quite simple to eliminate, which means that you can increase the productivity of the enterprise as a whole by combining its branches and remote offices into a single infrastructure. This can be done by combining offices into a common corporate network.

The Bit & Byte company offers setting up a single VPN-network to all organizations with representative offices, including in other cities. Indeed, most often the specificity of their activities is such that the branches have to exchange information and look into each other's databases on a daily basis. General software all local networks - this is the most practical and rational way of organizing the operational exchange of information and the possibility of remote enterprise management.

What you get by connecting offices into a single network

The service of combining offices into a single network provides for the creation of a full-fledged network between two or more divisions (branches, offices) of one enterprise, which is created for the prompt exchange of protected information based on VPN protocols. In the current conditions of business development, such corporate networks especially relevant, as they make it possible to improve the management of an enterprise and its territorial branches.

By uniting all branches of your enterprise into a single network, you can:

  1. manage a network of offices remote from each other via the Internet, gaining access to the equipment of each of the branches;
  2. create a central database and use it, which is very convenient for managing a network of offices;
  3. provide access for all departments to the internal resources of the enterprise without the risk of information loss.

Connecting offices by creating a single network is not a service big money... It can be configured at the main server level by purchasing additional VPN access points. Before combining the office networks, you will be prompted to check and process all the information. This will keep all data from the branches secret to protect it from hacking.

Combining offices into a single network is beneficial

Today, more and more enterprises are resorting to interconnecting office networks, and not only because it is convenient and secure. The purpose and task of such an association is also the benefit received from such a service:

  • costs are noticeably reduced, because the need for maintenance in each office disappears, and the resources of the central server become available for each branch;
  • when obtaining a software license, the benefits are also tangible;
  • all offices use information resources each other, regardless of where this or that branch is located;
  • there is no need for a large staff of technical specialists, because the vast majority of problems are solved remotely;
  • you will be able to conduct videoconferences, seminars and meetings with all departments at the same time, and this is a significant time savings.

In addition, the document flow between branches is as safe as possible, thanks to special data processing.

How office networks are merged