In this guest post, our customers Kelley Parkes, Director of Technical Operations (on the right) and Dave Rupert, Systems Engineer (on the left) at First Source, describes how their company built a site-to-site VPN with SonicWall NSAs and TZs to enable secure collaboration and failover protection to sites spread across the country.
When your company grows by acquisition, the way ours does, your IT group has to run fast and hard just to keep up with more users, more sites, more remote connections and a secure perimeter that keeps expanding.
We’ve recently switched from keeping-up mode to being ahead of the curve thanks to a combination of our own internal expertise, SonicWall next-generation firewalls and implementation help from Cerdant. I figured a lot of the people following Tech Center are in the same boat, so I asked SonicWall to let me share what we’re doing.
An expanding security perimeter
Our company is a nationwide distributor of specialty foods and confections from manufacturers like Godiva, Ghirardelli and Lindt. When you buy candy at Walmart, Cracker Barrel and Bed Bath & Beyond, chances are it comes from First Source.
We started out with sites in Virginia and Tennessee. We merged with a company in Buffalo, New York, and then we acquired a California location. Now we cover the entire country with around 500 employees in four main warehouses, two remote warehouses, one retail store and our data center. That means that our security perimeter covers eight locations from one coast to the other.
We had been using the ZyXEL 35, which has a very simple firewall application. However, when we looked at the roadmap of functions we wanted to offer the business, we knew the ZyXEL wouldn’t handle enough of them:
- Remote computing “” We had no secure VPN for remote users. We used simple port forwarding over the ZyXEL firewall to give users remote desktop access. That offered some security, but nothing near the encryption level we wanted from a secure VPN.
- Protection beyond the perimeter “” There was no mobile security for users connecting on BYO devices outside of our perimeter.
- Quality of service for VoIP “” We plan a move to voice over IP soon, so besides network security we needed the ability to carve out QoS for that.
- Content filtering “” We wanted the ability to block access to sites that waste time and devour bandwidth. Even more important for PCI compliance, we needed to be able to check any personally identifiable information or outgoing data that looks like a credit card number or a Social Security number.
And then strategically, we wanted everybody to be able to collaborate across the same network. For all of these reasons, we decided to build out a site-to-site VPN.
How to build a resilient, site-to-site VPN
We knew we were going to upgrade from the ZyXEL, so we looked at products from vendors like Cisco and Barracuda. We ended up selecting SonicWall NSA and TZ Series next-gen firewalls, mostly because of their secure VPN, which would make it easier for all of us to log in remotely anytime from anywhere and access in-house files, applications and printers. The support team at SonicWall pointed me to Cerdant and we chose them as our implementation partner.
Cerdant is dedicated to SonicWall operation and applications, and they’ve given us good ideas based on our needs. The hardware inventory for our site-to-site VPN goes like this:
- NSA 4500 in Virginia
- NSA 3500 in Tennessee
- NSA 3600s in California and New York
- TZ 205s in each of the remote warehouses locations, at our retail store and at the data center
All of our SonicWall firewalls are connected by MPLS and business-class high-speed internet circuits. We’ve used them to create a primary, internal, closed-loop network over dedicated, fiber-optic MPLS lines (10 Mbps), which cost about $1,500 per month per site on average. We lease a secondary loop over standard ISP circuits (100 Mbps down, 20 Mbps up) for about $350 a month. (The retail store connects through its local cable provider for about $75 a month.) The secondary is a fallback loop in case the MPLS connection drops for a few minutes or a few hours.
The best part is that the SonicWall firewalls can use a probe to detect when the primary connection goes down and can automatically failover to the secondary loop. In fact, I can think of three or four times in the last year that the MPLS loop has dropped for anywhere from ten to 40 minutes and we’ve flipped over to that secondary network of internet connections.
Cerdant has been a great partner for us. They’ve automated the SonicWall firewalls to fail over from the primary to the secondary loop, and then back to the primary after our carrier has restored the MPLS connection.
As I mentioned, we went with SonicWall firewalls mostly because of the secure VPN. I’m very glad we’ve also gotten a self-healing, double-loop network in the bargain.
Saved about $20,000 on hardware alone
We’ve seen other big advantages to deploying SonicWall throughout the company “” operational, IT and financial advantages.
On the operations side, it’s been much easier to support our service level agreement, which is our commitment to users that we’ll keep our systems up and running. With the double-loop network, we don’t lose connectivity between locations, so we have full business continuity in the event our network fails.
From an IT perspective, we’ve gotten so much more than just firewall hardware. We reap the benefits of SonicWall features like deep packet inspection, gateway antivirus, anti-spyware, bandwidth management, content filtering and secure VPN, as well as SonicWall’s continuous threat research.
Financially, we’ve saved $5,000 to $6,000 per location on load balancing equipment. Our self-healing, double-loop network configuration required load and link balancers, and we get those functions from the SonicWall firewalls, in addition to all of the firewall security features they offer. That has saved us at least $20,000 in building out our network.
When I first started this project, I researched several forums and saw other sys admins and IT managers trying to figure out how to connect multiple sites and asking questions about failover protection and the best type of connectivity. I could see that many of my counterparts aren’t happy with what they have in place. We’re very pleased with what we’ve implemented with SonicWall and Cerdant, and I wanted to describe it as a viable option for configuring a resilient network.
How do you connect your remote locations? What site-to-site VPN configuration works for you? Let me know in the comments below.