Originally Posted by
Samir
That IT provider was simply bsing because they didn't know anything about VPNs outside of consumer stuff. VPNs are actually safer than any other method. Why? Glad you asked.
Anytime you expose anything to the Internet, it's an attack vector for malware, hackers, etc. But the only way to print remotely is to expose the printer somehow (unless it's dialing up to a cloud or something, but that's another attack vector).
And IPsec VPN tunnel between two points is like just throwing a router in between them from a functional perspective. Each end has its own subnet range (which needs to be different than another), so if there are 3x physical church buildings then 192.168.1.1, 192.168.2.1. 192.168.3.1 would work.
Each site will be able to ping any IP on the other end (when nothing is preventing it) over their Internet connection. There is latency involved between the two sites since they're not local anymore, but it's tolerable if it's under 100ms (and for printing, tolerable even 10x more than that). So in our example, a computer on 192.168.1.x can ping a printer at 192.168.2.x and 192.168.3.x as if they were local. Neat, right? (Some of you see where I'm going with this...)
Well, since you can ping to then, you can print to them. Not only that, you can hit their web interface as if you were local, you can use them to scan to the computer on the other side--in short, you can do anything you could on a local network. And all of this behind the security of an IPsec VPN tunnel. But what is the magic in that tunnel? Glad you asked.
An IPsec VPN tunnel is a point-to-point connection between two routers on the Internet. They use the IPsec standard which is the defacto standard in enterprise and everywhere else for security because it has some crazy high bit security options as well as insane re-key timing if you want it (how about 4096-bit every 30 seconds? or every 5 minutes?--an encryption algorithm that will take a theoretical quantum computer to break). You can send anything inside this tunnel and it is secure from the outside even though it is traversing the public Internet. The tunnel is created and 'maintained' by the routers on each end of the tunnel. They're not normal routers, but most business class equipment has IPsec tunnel capability built-in. And if not, there are some stupid cheap VPN routers that are available like the TL-R605 that can replace whatever is in place. (There are ways to get a tunnel to work behind another router, but it's hit or miss--I've done it before and it's more complicated from a network perspective even when it is possible.)
So all 3 church sites could be connected via an IPsec tunnel and then their 3 networks essentially behave like one large one. Printers and computers could talk to each other from any of the 3 sites as well as other IP stuff like cameras, video, RDP, you name it. It opens the doors to a lot more productivity, and also is more secure from the outside than punching holes in existing firewalls to let data in or out.
Oh, and this is how we share our Brother machines and use the Scan to FTP feature. Even on these ancient machines that pre-date scan to folder options, we're able to scan from one site to a server in another location, and print as well. We also use the tunnel for so much more since you don't need something that is 'Internet capable' to be remotely accessible.
Some food for thought. Feel free to ask questions.
Bookmarks