Sonnenschein built its first VPN-based war room last year during a litigation case for Prudential Life Insurance Co. Twenty attorneys flew to Miami for the court date and set up shop in their hotel suite, complete with workstations, servers, a Nokia/Check Point firewall appliance, a Cisco VPN router and a T1 (1.5 Mbps) link to the firm's VPN, which was still under construction. The LAN also had wireless support, so attorneys could roam from room to room in the suite.
The three-month remote setup was a step up for the attorneys, who were used to working on briefings, notes and other documents individually on their laptops, dialing up to the home office with client-based remote-access VPN software. "Working in the war room was just like working in the home office," says Adam Hansen, lead information security engineer for Sonnenschein, which has 500 attorneys in nine offices nationwide. The firm, whose other big-name clients include IBM and Sun Microsystems, specializes in business litigation, intellectual property and technology issues.
Sonnenschein went with the VPN to decentralize its operations. And while the VPN cost about $200,000 to set up, it will save the firm money over the long run by eliminating expensive point-to-point connections. The old WAN configuration also posed a single point of potential failure: Sonnenschein's Chicago hub housed many of the firm's main applications, including Lotus Notes and a SQL-based document-management system. The new VPN has backup firewalls and routers at each site. It runs over WorldCom's Internet service with Cisco 2610 routers, and Nokia IP330s and Check Point software as the firewalls.
But the VPN's debut wasn't exactly smooth. When the VPN first went live in late April, some traffic got trapped in an asymmetric routing loop, where a portion of the IP packets ended up on the wrong path. That left Sonnenschein's attorneys at the home offices unable to run some of their SQL-based applications. So Hansen temporarily rerouted the traffic to the company's backup private network while he and the IT staff added BGP (Border Gateway Protocol) to its firewalls.
The problem stemmed from Sonnenschein's strategy of keeping BGP off its firewalls so only the routers had to make routing decisions. "Enabling BGP in the firewalls adds overhead, since BGP tends to load things into memory," Hansen says. The idea was to minimize the latency associated with heavy SQL-based traffic. With BGP now running on the Nokia/Check Point firewalls, the devices take a slight performance hit, Hansen says, but Sonnenschein's users don't notice it.
The Miami war room wasn't susceptible to the routing-loop problem because Sonnenschein had previously reconfigured the firewall there with BGP. Sonnenschein will use the same equipment, but with reconfigured IP addresses and occasional software updates, for each future war room. "We always have a unit staged and ready to go," Hansen says. "We're prepared for multiple, simultaneous war rooms, and we can deploy them as rapidly as needed."
The next big step for Sonnenschein's VPN is voice and streaming media, Hansen says. Sonnenschein's attorneys already send video depositions over the Internet in real time and plan to stream video clips to co-workers and clients for training and other purposes. Says Hansen: "We are looking to push content closer to our users."
|
On the Job
- Hansen's Biggest challenges in setting up the firm's WAR ROOM: Time, and working with telecom providers to provision and test the circuit within our time line.
- Biggest hurdle in building the VPN: Deciding which routing protocol to use, where to use it, and getting the entire system to make dynamic routing decisions for various traffic types. It's harder than it sounds to make the planning decisions, and determining the design is even more complex.
- Next time I build a VPN, I will: Address the routing protocol as a critical issue and not underestimate its complexity. A multisite solution becomes exponentially complex when there's redundancy for the overall WAN architecture at and between each office, as well as support for client-based VPNs at every entry point and dynamic failover.
- Job Perks: Reaching consensus among diverse groups of people and motivating them to think about security without being told they have to. I also enjoy incident response and forensics.
- My next job: Information security management.
|
REPORTS
ANALYTICS
Follow 
