The goal of the VPN is to secure Futurestep's e-mail and file-sharing applications, which typically include sensitive job and job-candidate information, such as job searches and resumes for the company's clients -- Sara Lee Corp. and Ernst & Young among them. Futurestep specializes in filling midlevel executive positions.
But securing Futurestep's VPN wasn't as simple as building it. There were some wrinkles with IPsec (IP security), the protocol that encrypts the transmission among Futurestep's routers. Because IPsec doesn't pass routing protocols, Futurestep instead encapsulates it in Cisco Systems' GRE (Generic Routing Encapsulation) tunneling protocol, which carries its routing-table updates.
The company also runs redundant T1 and router connections at its hub sites in Sherman Oaks, Calif., Hong Kong and London. The GRE tunnel lets Ingino and his team run Cisco's EIGRP (Enhanced IGRP), which sends traffic to another tunnel if a link is lost and provides redundant access points for the company's major locations, he says.
Still, tunneling has its trade-offs. "Tunneling makes it harder for a router to determine the best route for a packet, so we manually set delays in the tunnel so the router won't select an incorrect route," Ingino says. "We decide which route is the primary one and add a higher cost to the secondary tunnel so the router chooses the primary one."
There also were some challenges with running multiple versions of Cisco's IOS in the VPN. One of Futurestep's firewall routers in London crashed when the company rolled out the IPsec function: An encryption module on the routers wouldn't run with the firewall features. In Futurestep's Sherman Oaks site, meanwhile, the firewall software on the 7100 router malfunctioned because of a bug that allowed telnet access. "Although the firewall was configured properly, you could still telnet into the router," Ingino says. Cisco corrected the problem with a software update.
The encryption process, meanwhile, had begun draining CPU cycles in Futurestep's routers. So the company recently installed Cisco's new hardware-based encryption engine, VPN Aim, which off-loads encryption processing from the router software. The Aim modules have reduced CPU utilization by about 20 percent, according to Ingino.
Futurestep also is rolling out Cisco's Secure IDS (intrusion-detection system) for the VPN. The firewall and IDS sensor functions will run on each of the Cisco routers, with additional IDS sensors at Futurestep's data center and Sherman Oaks site. The IDS sensors feed information to a Microsoft Windows NT-based policy manager, which records and logs all transactions and attacks. "First we secured the network, and now we are able to detect break-ins and attempts," Ingino says. Futurestep's Altiga Access Concentrator 3005s that connect its remote sites also authenticate users with NT Server's domain-authentication feature.
In all, Futurestep spent about $3,500 for each of the 35 VPN-connected sites, and the company estimates that it has saved more than $30,000 a month in access charges. Key to the global VPN was putting most of its sites on a common ISP backbone -- most of the sites run on UUNet -- which provides optimum routing, Ingino says.
REPORTS
ANALYTICS
Follow 
