39077d1c   
   From: jcfmasters@yahoo.com   
      
   Larry Erickson wrote:   
      
   >   
   > Thanks a lot for your response.  It is nice to know that other people   
   > have similar situations.  I am pretty unfamiliar with   
   > virtual machines so I have a couple more questions.  First, what is   
   > the reason most customers will not let you   
   > connect directly to the internet?  Is is security, cost, or another   
   > reason?  Is there anything that can be done to make   
   > this idea more appealing to customers?  Also if you could connect   
   > directly to the internet, what would be the best way   
   > to remotely connect?   
      
   Various security concerns; from the customers' point of view: 'There is   
   something on my network that is connected directly to the internet; I   
   have no control over setup, security updates etc., so I am not happy."   
   If you do not have to be connected to the customer's own network (e.g.   
   for SCADA systems that the customer wants to see from his desktop) there   
   is normally no problem besides the cost of a separate connection. If   
   there *is* a need to be connected to the customers' network, the best   
   solution is to have the customer put in a firewall between your network   
   and theirs. That puts updates and firewall maintenance responsibility on   
   them too ;)   
      
   >   
   > We do like to keep all of our static IP address layouts the same   
   > across all our installations.  As far as the virtual   
   > machine solution goes, what do you recommend using for a windows   
   > platform.  I think you were saying to set up our   
   > normal network setting on our main pc, and then install a virtual   
   > machine on that pc also which the customers IT   
   > department installs their VPN link software.  We then connect  through   
   > the VPN to our pc's virtual machine, in which we can   
   > access our other network devices somehow.   
      
   Correct. We use VMWare, it is OS-independent for what we use (Windows VM   
   running under Linux or Windows). Install VMWare on a laptop, let the   
   customer play around in a VM to set up VPN, and copy the VM off the   
   laptop later. On the server in the office you end up with a collection   
   of VMs, if customer X needs support fire up the VM for customer X and   
   connect. Caveat: most VPNs restrict any other network access as long as   
   the VPN is connected, so if you have to copy files back and forth   
   between office and site you have to copy them to the VM first, connect,   
   then copy to site.   
      
    > In your last paragraph,   
   > are you saying that we should always be using two   
   > network cards, or use a hardware solution that can provide the same   
   > thing?  Sorry for all the questions, and again thanks for   
   > responding.   
   >   
      
   Matter of personal preference, and budget. I prefer a separate device   
   (e.g. I can also use it as a DHCP server for connecting laptops on-site,   
   and set it up as a proper firewall between control network and generic   
   office network), but a solution with two network cards, one inside the   
   customer's network and one on the control network can work too. Beware   
   of routing pitfalls if the customer's IP ranges overlap yours.   
   If you have the customer give you VPN access they might even be able to   
   put a firewall/router in that gives you direct access; otherwise you   
   will have to set things up so that you have access through their VPN to   
   a single IP address on the second network card, run a VPN or SSH server   
   on your machine, and route through there into the rest of the control   
   network.   
   Standard boxes exist that can do this (Cisco ASA series comes to mind,   
   other brands have similar things, but there you are talking fairly   
   serious money). If you have the expertise in-house (or can borrow it   
   from somewhere) to set up a small Soekris board it might be more   
   cost-effective.   
   And nobody says you can't have a back-up modem line attached to the same   
   box, as a back-up in case the VPN doesn't work. At one site we have a   
   little GSM modem that has come in handy when somebody dug up both the   
   primary *and* the back-up network lines near a customer's site.   
      
   All in all, it depends on how much money you want to spend, and how much   
   time in setting it up. A second-network-card solution might be a bit of   
   a pain to get set up, but if it is well-documented you start seeing the   
   savings with the next site.   
      
   J.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)