Sharing wide area network connections in shared buildings
Reduce costs, improve network efficiency and maintain control by sharing wide area network connections.
Read this guidance if you provide network infrastructure to government organisations (either as a lead department or service provider) to understand how to:
- reduce costs by sharing 2 internet and 2 Public Services Network (PSN) connections per building or building cluster
- improve efficiency by spreading traffic peaks amongst a larger number of users with different activity patterns
- allow end user devices with ‘always-on’ virtual private networks (VPNs) to connect to their home gateway
- provide access to the enterprise network to devices not using a client VPN
- maintain visibility and control of your end user devices on a shared network
Each organisation has an IT team that can deliver their own independent solutions to meet their users’ needs. They normally have a contract with a single provider for a private national network. This works well but can be wasteful when sharing office buildings between multiple organisations. A tenfold increase in bandwidth is usually available for 2 to 3 times the cost, so 10 organisations with similar requirements could save 70 to 80% by sharing connectivity.
This guidance explains how to share connections across different organisations with:
- minimal change to network infrastructure
- full control of IP addressing and traffic routing
- clear demarcation of responsibilities
Follow this technical solution
The shared workplace network uses certificates to grant network access to end user devices. Each organisation’s user group is allocated their own virtual local area network (VLAN) to which a pair of VPN devices managed by their home organisation are connected. This means that each organisation controls their own IP address allocation to clients and IP routing.
Alternatively, organisations can choose not to install devices and instead implement ‘always-on’ VPN clients on their end user devices.
The internet gateway provides direct internet access to ‘always-on’ VPN users and visitors only. All managed devices use their existing organisation’s internet gateway service. Content filtering is on a ‘best effort’ basis using a filtered domain name system (DNS) provider. However, the gateway should enforce the use of this service by blocking any other (unfiltered) DNS servers.
The internet gateway provides firewalled connectivity for the individual organisations’ VPN routers.
A central print solution is accessed via a VPN terminated on the internet gateway.
You can decide which of the following 3 connectivity options is best suited to your organisation’s requirements.
1. ‘Always-on’ VPN
If you use an ‘always-on’ VPN for your end user devices, you don’t need to install any additional infrastructure. Your building’s shared RADIUS server recognises the device certificate and connects the user to an ‘always-on’ VPN VLAN which only allows VPN traffic.
The diagram below shows different end user devices connected to a single shared infrastructure wirelessly. They connect back to their home organisations either via client VPN over the internet or a VPN gateway.
2. One pair of VPN routers per organisation
Your organisation’s VLAN is routed back to a shared cabinet in the main comms room for the building and delivered to a managed VPN termination device, which may be a router or a firewall. This should be a pair of VPN routers located separately for resilience.
You can then decide to connect back via the internet or via the PSN, depending on their requirements. Organisations with their main applications in a public cloud will probably choose to use a VPN over the internet. Those with existing PSN connectivity to their data centres will probably prefer to use a VPN over the PSN as it delivers an assured path.
You can use local break out to a cloud-based web filtering service or cloud application to avoid the added latency of internet traffic traversing the data centre. Consider your organisation’s user and security requirements when you decide whether to adopt this.
The connectivity from the end user’s device to their organisation’s VPN device is at layer 2 giving their IT team full control over the IP allocation and addressing.
You must decide how many users will be the threshold for installing the VPN endpoint, below which they use the remote access solution via the internet.
3. Private virtual routing and forwarding (VRF) over a PSN connection
You can arrange for your WAN service provider to extend your network to any PSN network vendor connected to a site. You must install a firewall or router to allocate IP addresses to your users and protect your WAN from threats.
Speak to your PSN service provider to find out whether this is available to you.
Consider your technical requirements
Shared internet gateways
Service providers must install a single internet gateway service per building cluster to be used by everyone in those buildings. Although described as a single gateway it must include multiple devices to provide high availability.
The internet gateway must:
- support the bandwidth required for the site
- have the capability to establish a VPN to any central services as required supporting Internet Key Exchange (IKEv2) and next generation encryption
- export firewall and web request logs, including the full address of unencrypted requests and the destination address of encrypted connections, to a central service via the VPN
- export logs of IP addresses allocated to clients via the VPN
- continue to function if any single component fails
- provide accurate timestamps using Network Time Protocol (NTP)
Shared WAN connectivity
Service providers must provide resilient connectivity to both the internet and the PSN so government organisations can connect to their resources in the most appropriate way.
The WAN connectivity must deliver:
- a resilient pair of internet connections
- a resilient pair of PSN connections - supporting private VRF where available
- public IP address range for the internet VPN endpoint DMZ
- PSN IP address range for the PSN VPN endpoint DMZ
The resilient connections can be split across 2 buildings in a building cluster where appropriate. This provides extra diversity and easier load sharing between the 2 connections as the users in each building can use their local connection but fail over to the other building if the connection goes down. For a single building infrastructure, the 2 cabinets and connection termination equipment should be as far apart as practical. Consider using different comms rooms to avoid total sustained outage from a single fire or flooding event.
For a pair of connections to be considered resilient, as a minimum they must use different building entry points and be diversely routed, never sharing the same duct. Consider using 2 different network providers for these connections where possible, taking care to ensure the providers are not using common underlying components.
Consider an active-active approach, so in normal circumstances both connections are around 50% average utilisation or less. This will give a better service by reducing contention during spikes at peak times while still allowing fail over.
VPN device colocation
Service providers must help public sector organisations install firewalls or other VPN termination equipment. Ideally, each organisation should have their own secured section of a cabinet so they can maintain it themselves. Where this isn’t possible, the service provider should install the equipment on the organisation’s behalf. All cabinets should be located in suitably secured and controlled comms rooms.
Service providers must provide:
- 2 shared cabinets as far apart as possible, preferably in different buildings in each building cluster for installing the WAN connection termination equipment, and other shared infrastructure devices
- separate individually lockable cabinet sections to tenant organisations, or one pair of VPN routers per organisation in the shared cabinets
- top-of-rack switch ports giving connectivity to the internet, PSN or private VRF as requested by each organisation - ports can be preallocated to reduce management overhead
- a top-of-rack switch port giving access to each organisation’s internal VLAN on the shared infrastructure
- patching to the organisation’s switches if they have implemented their own
Organisations wishing to use buildings that follow this pattern must:
- comply with the requirements in the shared workplace network guidance
- provide either a pair of VPN routers or enough client VPN capacity for the number of users at a given site
- inform the service provider of their chosen pattern of connectivity
- provide different physical interfaces on their VPN routers for their own local area network (LAN) switches (if installed) and the shared infrastructure switches
Read more about networks
Read about sharing workplace wireless networks if you’re involved in deploying new or upgrading existing public sector networks.
Find out about GovWifi.
Published: 8 August 2016