The telecommunications industry has no universal definition of an enterprise
network. A network with no connections outside the enterprise could meet the
definition because it is critical to the functioning of the organization. Usually,
however, an enterprise network implies external connections to remote offices,
employees, customers, business partners, patients, constituents, or anyone who
has a business relationship that they conduct over the network. When such a
network malfunctions, business relationships are impaired or crippled, so design
and management are more than incidental functions.
Thinking about enterprise networks has changed over the past few decades.
In the heyday of mainframe computers, the enterprise network was a way of linking
selected employees to corporate databases. The scope and size of the mainframe
limited networks to those organizations with major data-processing
operations. Smaller organizations transmitted data over teletypewriters and the
nearest thing to data storage was a piece of paper or a punched paper tape. The
shift began when companies such as Digital Equipment Corporation and Hewlett
Packard scaled the mainframe down to minicomputer size, paving the way for
more organizations to mechanize selected applications.
Both mainframes and minicomputers had common characteristics that
shaped the enterprise networks of the time. The intelligence resided in the central
computer, which meant the only applications that could be used from the desktop
were those that ran on the host. Some, such as word processing, were available
from the central computer but these were provided only to the select few that had
terminals. The closest the industry came to desktop computing was a timeshare
machine on which users could write their own applications in a language such as
Basic. The other property of centralized computer was the fact that their networks
were proprietary and closed. IBM’s SNA was at that time a complex collection
of hardware and protocols that scaled to prodigious dimensions, governing a
flock of dumb terminals and printers.
Ironically, IBM set in motion the events that made SNA obsolescent by introducing
the PC and opening its architecture to outside developers. Virtually no one
in 1982 could foresee the enormous influence the IBM PC would have on technology.
It was a perfect partner for the LAN, the standards for which were developed
in the same timeframe. It took several years for LAN technology to catch hold, but
once it did, the shape of the network changed by quantum leaps. Freed from the
limits of host-based software and faced with technology they could purchase
under departmental budgets, users purchased desktop devices by the millions
and enterprise network managers had no choice but to adapt.
Figure 31-1 shows the main evolutionary steps that brought networking
to today’s state. Enterprise networks of the past were single-purpose. To access
multiple applications, users often needed separate terminals for each. With its
low cost and versatility, the PC soon replaced dumb terminals. At first, it was
equipped with special cards and terminal-emulation software. When in terminalemulation
mode, a PC was no different to the user than the dumb terminal it
replaced, but it was possible to switch to desktop software, which was easier to
use and had more features than anything available on the mainframe. The architecture
at this stage was awkward. The terminal-emulation mode required hard
cable: coax back to the controller or the mainframe. Twin-ax, coax, or RS-232 were
common. The benefits of sharing files and peripherals mandated a separate LAN
connection. This meant multiple cables to each desktop, which clogged conduits
and crowded overhead ceiling space.
The next step in the evolution in the late 1980s and early 1990s was to connect
the mainframe or minicomputer to the LAN so users could run its applications
over the LAN, still in terminal-emulation mode. Sometimes this was as
simple as installing a card in a minicomputer and loading software to link the
desktop devices to the central computer. For the IBM mainframe, this represented
a major point of departure because SNA was designed on the principle that all
communications went through the host. IBM enhanced SNA with Advanced Peerto-
Peer Networking (APPN), a group of protocols that allows sessions to be established
between peer nodes. At this stage of evolution, LANs were shared-media
systems, but traffic was relatively light. The Internet was still the private enclave
of academics, government, and a few businesses, and the bandwidth demands of
the World Wide Web had not yet materialized.
The next stage of development brought enterprise networks to where they
are today. The enterprise network provides a communications infrastructure that
sustains the strategic objectives of the enterprise. Ideally, the network is a converged
multimedia infrastructure that is flexible, easy to manage, and based on
open standards. That ideal is reached gradually in most organizations because of
the embedded base of existing equipment and the need to show a return on
investment by migrating to a new model. No longer the exclusive terrain of large
organizations, networks serve even the smallest enterprises and they are almost
certainly connected to the public Internet. The network islands and silos of the
past are giving way to an infrastructure that enables workers to communicate
with and share information in real time with customers, business partners,
and employees without regard to their location or preferred communications
medium.
Both technology and user demand are driving this phase of network development.
Organizations of a few years ago could survive comfortably without a
technology plan because their data communications were internal and their voice
communications used the PSTN or a private network. That degree of isolation is
no longer feasible. The company that does not display its presence on the Web is
invisible to a substantial portion of its clientele. Delivering information and
services efficiently is the cornerstone of the enterprise network. The enterprise
opens itself to its constituency by delivering an infrastructure that is available,
secure, and easy to access. This means it is based on open standards and handles
multiple traffic types with consistent quality and reliability.
Part of this evolution is driven by the concept of convergence, a subject we
will discuss in more detail in Chapter 37. The networks of the past shared backbone
facilities by dividing bandwidth, but the media remained separate. In the
converged network, different types of traffic coexist seamlessly. The enterprise
network must adapt to handle these multiple traffic types and support a broad
range of applications. This requires classifying and prioritizing traffic so that one
class does not the cripple the service level of another.
ELEMENTS OF THE ENTERPRISE NETWORK
The enterprise network designer chooses a fundamental standards-based architecture
with close linkage between the architecture and the enterprise’s strategies.
The network is almost certainly based on the use of IP, but that does not mean it
is converged at the outset or that it uses an IP backbone. Many networks run
over point-to-point circuits, frame relay, and ATM. Enterprise networks are evolutionary.
They must consider existing equipment and replace and upgrade it as
economics dictate. The objective is a single network that is flexible, secure, easy to
manage, and supports all communication needs. It adjusts to current and future
applications, functions reliably, and delivers service at an affordable price.
The enterprise network focuses on its constituents: internal users, customers,
and suppliers, while defeating hostile forces from the outside that have the objective
of bringing it down. The network takes into account trends in the workplace.
The current shibboleth is collaboration. Recognizing that teamwork occurs among
people, network managers can do little to cause collaboration to happen, but they
can ensure that the network supports it at the appropriate time. Today’s work
force is increasingly mobile and the enterprise network is called on to enhance
mobility by supporting wireless applications and remote access.
The main attributes of the enterprise network are these:
Quality of service (QoS). The network is designed, configured, and
managed with QoS as its keystone. This means that traffic is classified
at the source and prioritized end-to-end through an infrastructure that
requires nothing of its users outside their normal method of operation.
The ideal network is an extension of its applications and remains
invisible to the users except for the jack in the wall.
Standards-based. Recognizing that no single vendor can provide all the
elements of the enterprise network, the design and structure are based
on open standards. This does not preclude the use of equipment with
proprietary elements, but cross-platform and cross-product interoperability
are required. Furthermore, purchases, including those made with
departmental budgets, must conform to the company’s equipment and
application standards.
Security. The network is designed, configured, and managed with
security and server protection paramount. It integrates both wired and
wireless components and is designed to detect and prevent intrusion
at the edge and to survive attacks without service interruption. Policies
and procedures such as sanitizing files and applications are conveyed
to users to protect the network core.
Reliability. Fault tolerance is designed into the network. Components are
manufactured to high standards of performance and are hot swappable.
Management announces and adheres to service-level agreements (SLAs)
554 PART 5 Telecommunications Networks
that give the users assurance that mission-critical applications will not
experience unscheduled downtime.
Asset and investment protection. Existing equipment is applied for maximum
benefit. Duplicate infrastructures are avoided by adapting to new
applications and new technologies without major changes or upgrades.
A major advantage of the mainframe computer of the past was the ability of
the network manager to enforce uniformity. Today, equipment is so inexpensive
and readily available that uniformity can be achieved only through policies and
persuasion. Rogue equipment can be brought in unnoticed and open security
holes that are difficult to detect and impossible to defend. Without control of the
applications, it is difficult to deliver agreed-upon SLAs, so this means the enterprise
needs to have plans and strategies for adopting new technology and applications.
The enterprise must develop policies in two senses of the word. On one
hand are written directives and procedures that ensure that the necessary controls
are in place. The other is technical policy that provides the bandwidth and QoS
that the applications demand.
Policy-based networking means permitting access to resources to those with
the need to use them while denying it to those that do not. It means managing
traffic flow, prioritizing applications, and delivering bandwidth-differentiated
services according to the needs of the application. It implies that servers and
applications are classified based on their position and behavior in the network.
Policies are established to ensure that users have appropriate privileges. All of this
requires more information than the network manager can possibly have at his or
her fingertips, which implies mechanized support. We will discuss policy-based
networking in a later section.
A technical structure must be in place to manage the network with internal
resources, by outsourcing, or with a combination of both. Testing and managing
networks, as we discuss in Chapters 38 and 39, is costly, but the cost of interruption
can be devastating. Effective network management requires that performance
be monitored in real time and that problems are detected and corrected before
they have an adverse impact on service. The network operations center must be
staffed with people with the appropriate skills and the necessary tools.
Knowledge of traffic flows is essential, e.g., what applications communicate with
other applications, at what times of the day, and with what bandwidth requirements.
Besides performance monitoring, security violations must be detected and
thwarted to prevent damage. Policy-based networking is in its infancy, but networks
of the future will not survive without it.
The enterprise network is multiprotocol, multivendor, and multiapplication.
The increasing globalization of business means the network is multilocation and
multinational as well. The strategic implications of the network also mean that it
is likely to be multicompany. Such a network is difficult to manage and control.
As companies do business electronically with their strategic partners, conflicts
arise in protocols, governmental regulations, and standards. The enterprise
network ties the parts together into a unified design and architecture.
BUILDING BLOCKS OF THE ENTERPRISE NETWORK
This section discusses the elements of an enterprise network. These have been discussed
in earlier chapters and are presented here with applications to show how
they fit as an integrated whole.
Terminal Equipment
Figure 31-1 shows the evolution of terminal equipment interfaces to a host computer.
Many legacy networks resemble the left side of the figure: a host computer
controls a network of dumb terminals. The terminals connect through a cluster
controller or multiplexer to the host, which contains the database and manages
the network. The dumb terminal has practically disappeared, replaced by the personal
computer—at first emulating the terminal and then operating as a peer as
shown in the central part of the figure. Local area networks, usually using twisted
pair wire, replace the coaxial and RS-232 wiring to controllers and multiplexers.
Local Area Networks
The foundation of virtually every network today is the Ethernet LAN. The basic
building blocks—the NIC, high-quality UTP wire, switches, servers, network
operating system, and routers—are becoming so common as to be practically
commodities. The 100-Mbps LAN with layer 2 and 3 switches, VLAN and QoS
capability, a backbone with sufficient bandwidth, and PoE provide capacity for
nearly any application the enterprise adopts.
Circuits
The building block of the network of the past was the voice grade analog circuit.
With conditioning it supports data and with signaling it supports voice. The limited
bandwidth of the voice-grade circuit gave rise to digital data service (DDS), a
digital service operating at speeds up to 56 Kbps. Based on the bit-robbed signaling
of a T1 backbone, DDS is expensive and incapable of providing 64-Kbps clear
channel circuits. As the demand for greater bandwidths increased, the major IXCs
provided T1/E1 and fractional T1/E1 facilities and, increasingly, are delivering
T3/E3 and fractional T3/E3. The trend clearly is toward providing point-to-point
circuits in bulk. AT1 can be leased for the price of six or seven voice grade circuits;
a T3 can be obtained for the price of about the same number of T1s. Anyone needing
point-to-point bandwidth should evaluate fractional T1/E1 if a full T1 is not
needed. Fractional T1/E1 is a point-to-point service between major metropolitan
556 PART 5 Telecommunications Networks
areas. Some LECs offer fractional T1/E1, but others offer digital service only in
DS-0, DS-1, and DS-3 increments.
With the demise of the voice-grade analog circuit, bandwidth is provided in
the standard SONET/SDH levels. This bandwidth may be divided and voice and
data kept separate. Although this foregoes the advantage of efficient multiplexing,
it is an inexpensive way of sharing facilities between voice and data. IXCs can split
the bandwidth at the central office, using part of it for access to the long-distance
network and the remainder for access to point-to-point, frame relay data services,
or even local service. An IAD at the customer’s premises splits the circuit into its
component parts as shown in Figure 31-2. The information travels over an access
circuit, which is usually T1/E1, to the IXC’s central office, where it is separated
into its component parts, typically in a DCS.
Common-Carrier Switched Facilities
Long-distance costs have dropped to the point that it is difficult to justify a private
voice network except where it can be shared with data and ride for minimal cost
or where the volume is high enough to justify a voice VPN, which we discuss in
a later section. One of the theories behind divestiture was that competition would
drive down long-distance costs, and that has proved to be true. In the past,
switched long-distance networks offered two alternatives: wide area telephone
service (WATS) for the heavy users and direct distance dialing for everyone else.
Now, WATS has disappeared. Large users connect directly to the long-distance
carrier’s switch with T1/E1 facilities and smaller users negotiate reduced-cost
long distance over switched access.
The long-distance market can be segregated into three groups of users. At
the low end are small users who have no alternative but to use switched access.
Mid-sized users can save money by using T1/E1 access for large sites and switched
access for smaller locations. If a private data network serves the remote sites, long
distance from those sites can be transported to the larger location and switched
over dedicated access facilities. The largest organizations can usually justify a
voice VPN, which offers the equivalent of a private voice network, but over
common-carrier facilities.
Premises Switching Systems
The PBX is the most familiar kind of circuit switch in private networks. Larger
networks use class 5 or tandem switches with a private system generic program,
but most private networks use a PBX for the purpose. As voice and data converge,
it becomes more effective to use one of the varieties of IP switching systems.
Common-carrier switching services also are available. The most familiar type is
the Centrex services that most LECs offer. Centrex systems can support the same
T1/E1 long-distance services and special trunks that PBXs support. Centrex, also,
is migrating toward IP.
Facility Termination Equipment
Private facilities are terminated in equipment that provides testing access, conditions
the signal to meet the line protocol, and divides the bandwidth among the
users. Digital facilities terminate in a CSU that converts the bipolar line signal to the
T1/E1 format as well as other maintenance functions. CSUs with add-drop capability
are available to divide the line. Access to individual channels is also obtained by
terminating the line in a channel bank, an IAD, or a digital crossconnect.
PRIVATE VOICE NETWORKS
A private voice network tends to integrate the enterprise more tightly. Human
endeavor revolves around communication, and the more personalized the communication,
the more effective the organization. Multilocation companies can be
more closely knit if they can dial each other with an abbreviated dialing code,
transfer calls across the network, and all locations are part of the same directory.
Small organizations have little choice but to use the PSTN, at least until they can
558 PART 5 Telecommunications Networks
justify a converged network. Large organizations can develop private voice
networks by one of the two methods. The traditional method is to use an ETN.
This arrangement connects switches together with a network of T1/E1 lines. The
T1/E1 lines carry a fixed monthly rate that is independent of the amount of traffic.
For companies with heavy usage, an ETN can be cost-effective. Long-distance
costs have dropped, however, to the point that it is difficult for an ETN to compete
with common-carrier pricing.
Of particular interest to many companies is the voice VPN. A voice VPN
operates as if it is composed of private voice circuits, but is actually part of the
IXC’s switched network. AT&T’s virtual network is Software Defined Network
(SDN), MCI’s is V-Net, and Sprint’s is Voice VPN. Avoice VPN depends on SS7 to
link the various IXC switching nodes and to direct them to behave as if they were
a private network. The service definitions are retained in the IXC’s SCP database,
which is queried over the data network that links the switches at the SSPs. (Refer
to Figure 12-2 for this architecture.)
Stations in a VPN are defined as off net if they access the IXC through the
LEC and on net if they bypass the LEC with a T1/E1 link to the IXC. Unlike conventional
T1/E1 long-distance access, a VPN can both terminate and originate
calls over the access line. This enables the IXC to bypass the usage charges the
LECs impose on the originating and terminating ends of a call. Calls placed over
the network are rated in three categories: on-net-to-on-net, on-net-to-off-net, or
off-net-to-off-net. The on-net portion of calls does not incur access charges, which
reduces the cost of the call.
When the IXC’s switch receives a call setup request, it sends a message to its
SCP database requesting instructions. The SCP checks for restrictions and service
classifications, such as forced account code dialing, and returns a message to the
originating switch, sends routing information to the switches in the connection,
and directs the switches to connect the path.
Virtual networks are economical for large companies that have a considerable
amount of on-net calling. Most of the features of a dedicated private network
can be provided. For example, locations can call each other with an abbreviated
dialing plan, calls can be restricted from selected area or country codes, and other
dialing privileges can be applied based on trunk group or location. Special billing
arrangements are provided. Call detail furnished online or on a CD/ROM enables
the company to analyze long-distance costs in a variety of ways.
PRIVATE DATA NETWORKS
The services for implementing data networks are abundant. For convenience, they
are classified as local area, metropolitan, and wide area or global services. That
distinction is diminishing as Ethernet transcends its original distance limitations
and ventures into the metropolitan network, which we discuss in Chapter 32. The
WAN–metropolitan distinction is also fuzzy because the same protocols may be
used for both. A private data network uses fixed point-to-point bandwidth or a
common-carrier service such as frame relay (Chapter 34), ATM (Chapter 35), or a
private IP network (Chapter 36). The Internet is also available for private network
use, with security precautions discussed in the next section.
Data VPNs
The main attraction of connection-oriented services such as frame relay as a platform
for private networks is the lack of concern about security. The Internet has
spawned a type of data network known in the trade as a VPN, referred to here as
a data VPN to distinguish it from a voice VPN. A VPN is a set of sites that communicate
with one another over a public IP network while maintaining the security
and management capabilities of a dedicated circuit or frame relay network.
The basic functions of a VPN are membership discovery—who belongs to what
VPN and the establishment of a secure tunnel through the network. VPN subscribers
have the following objectives for the network:
Security. The VPN is secure from unauthorized access to the same
degree as a network implemented over frame relay or dedicated circuits.
Connectivity. Any authorized site can use IP’s connectionless capability
to connect to other sites. New sites can be added quickly. Mobile users
can access the network from remote locations. Also, the network can
span multiple service providers where necessary.
Simplicity. The network is easy to set up and manage.
Resiliency. The network can respond rapidly to changing traffic patterns.
Scalability. The network can scale to meet changing needs as the subscriber
adds locations or connects to external users such as customers
and business partners.
Quality. The VPN can support multiple media including voice,
video, and multicast with sufficient QoS. The service provider
offers and adheres to SLAs based on worst-case scenarios as opposed
to averages.
There is no single standard configuration for a data VPN, but the illustration
in Figure 31-3 is typical. A VPN consists of a combination of authentication, tunneling,
access control, and encryption that is designed to carry data securely over
a public network. Anetwork tunnel is a metaphor for the process of encapsulating
the data of one protocol inside the data field of another protocol. Encapsulation
permits data originated on one protocol to transit otherwise incompatible networks
including a hostile network such as the Internet. It is not normally necessary
to encrypt data that is carried exclusively on common-carrier networks
because these are normally considered as secure. Nevertheless, many organizations
encrypt everything including voice as a matter of course.
560 PART 5 Telecommunications Networks
VPNs operate at either layer 2 or layer 3, with the latter comprising the
majority of VPNs in service. In an L3VPN the service provider routes packets
across the network based on customers’ IP addresses. In an L2VPN the packets are
forwarded based on L2 information or port information, and the customer is
responsible for routing. An L3VPN is deployed over an IP network and emulates
a multisite routed network. A layer 2 VPN emulates a bridged LAN connection
over a VPN and is often called virtual private LAN service (VPLS). The industry
uses the term pseudowire to describe the emulation of a native point-to-point
service over a packet network.
Organizations can develop their own VPN or purchase the service from a
carrier. A VPN over a private IP network consists of routers and access devices
connected with leased circuits, frame relay, ATM, or other secure facilities, providing
the private equivalent of the Internet. Such a network provides security
that is equivalent to frame relay, but it is tricky to set up because in almost every
case it will be called on to serve nodes that have direct Internet connections.
One solution that may require less administrative expertise is to outsource
Data Virtual Private Network
the network to a common carrier that manages everything. Although the user
sends IP traffic to the network, the carrier may wrap the traffic in cells or frames
and transport it across an ATM or frame relay network. It is important to know
whether the carrier uses any part of the Internet for the VPN traffic. If so, encryption
is required. Several equipment manufacturers package the necessary VPN
functions of routing, encryption, firewalling, and tunneling protocols into a single
VPN access device.
The two main purposes of a VPN are to provide remote access and site-tosite
connectivity. If a site-to-site VPN is used exclusively as an internal network, it
is commonly called an intranet. If it is used for outsider access it is called an
extranet. Remote access users can connect to the network with either a dedicated
connection such as DSL or cable or they can use dial-up. The savings are particularly
attractive for overseas users. Since the VPN may transit the Internet, it must
have several methods for keeping the data secure. The most common method of
obtaining the necessary security is to build encrypted tunnels through the network
using protocols such as IPSec (IP Security) or Layer 2 Tunneling Protocol
(L2TP). This method, known as the overlay model, achieves security at the price
of greater complexity because of its connection-oriented nature. For sites to communicate
with one another either a tunnel must be defined between sites or the
site must communicate through a third site. The first alternative adds complexity
and the second adds unnecessary traffic to the third site’s access circuit plus
adding the delay inherent in the extra hop.
IP Security
IPSec is a framework of standards that ensures private communications at the
network layer. It introduces enhanced encryption and authentication through two
modes: tunnel and transport. The tunnel mode encrypts the entire packet including
the header. The transport mode encrypts only the payload. The encrypted
packets in transport mode look like ordinary packets, so they can be routed
transparently. In the tunnel mode, the encrypted packet is enclosed in a new
packet, adding to the overhead, but further increasing security by keeping
addresses private.
For IPSec to work, all of the devices on the network must share a common
public encryption key. The authentication process must also be encrypted, so
some method of bootstrapping the process is needed. This is generally done by the
use of an independent digital certificate authority or by the two ends sending each
other keys through some other secure media. After the initial authentication, the
Internet Key Exchange (IKE) protocol allows the devices to negotiate a secure
tunnel between them.
Authentication, Authorization, and Accounting (AAA)
AAA authentication is frequently used in a remote-access VPN with dial-up
clients. When a call arrives, the request is forwarded to the AAA server, which
562 PART 5 Telecommunications Networks
verifies the caller’s identity, authorization, and tracks the call for auditing or
billing purposes. A common method of authentication is the industry standard
remote authentication dial-in user service (RADIUS) server, which provides
several methods of user authentication.
Tunneling Protocols
Tunnels are of two types, end-to-end and node-to-node. An end-to-end tunnel
extends from the remote PC through the network to the server. In this configuration
the encryption, decryption, and session setup happen at the ends of the
connection. In node-to-node tunneling the tunnel terminates at the edge of the
network. The traffic connects through edge devices such as a router or the VPN
access devices shown in Figure 31-3, where it is encrypted and tunneled to a
matching device at the edge of the distant network.
The primary tunneling protocols in use besides IPSec are L2TP and Point-to-
Point Tunneling Protocol (PPTP). PPTP and L2TP support Password Authentication
Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).
PRIVATE NETWORK DEVELOPMENT ISSUES
The overview of the building blocks of telecommunications networks shows that
there is no shortage of choices. This section discusses some of the principal design
issues that managers must consider in implementing networks.
Security
Connections to the Internet raise security concerns for every network manager.
External threats from viruses, Trojan horses, worms, and denial-of-service attacks
are an infuriating reality that requires constant vigilance. A more subtle threat to
security comes from internal users who can compromise security inadvertently or
launch internal attacks that destroy files or access them without authorization.
Rogue wireless nodes, laptops, PDAs, and cell phones that carry infections around
the firewall and open discussions of confidential information on public IM are just
a few ways users can jeopardize the best security precautions.
Network security involves the following issues:
Physical security. Network and computer equipment and the circuits that
connect them are physically secure. Equipment rooms and wiring closets
are kept locked and the keys under control. The facilities are clean and
free of debris and fire hazards.
Terminal security. Access to the network is controlled. Dial-up circuits use
a system such as dial-back, a hardware security device, or an authorization
server to prevent unauthorized access. Passwords are controlled
and revised periodically. Terminals and computers are kept physically
secure and the keyboards locked if possible. Laptops are secured so that
if they are lost, they cannot be used to access the network.
Disaster recovery. The network has a plan for restoring service in case
common-carrier services fail or major equipment is lost because of fire,
earthquake, sabotage, or other disasters.
Data security. Firewalls are configured to close all unused ports.
Information that is carried over wireless or public networks is encrypted
and keys are guarded and transported only over secure media. Access is
controlled with smart cards, biometrics, or RADIUS server. Intrusion
detection devices at the edge alert management to attempts to penetrate
or deny service to the network.
Policies. The enterprise’s policies for safeguarding information are clearly
written, published, and regularly reviewed. Employees are sensitized to
the nature of security threats and instructed on appropriate preventive
measures.
Policy-Based Networking
A major issue in deploying a multimedia network is determining which users or
applications receive preferential access to network resources. The industry uses
the term policy to encompass the practices and systems needed to regulate access
to network resources. Certain applications need priority access and all need predictable
service levels. All network equipment including routers, switches, firewalls,
and hosts must participate in a plan for discriminating between packets that
can tolerate best-effort service and those that cannot and for identifying which
applications users are permitted to employ.
Policies include the conditions under which the policy is activated and the
action that is to be taken. The policy is enforced by the apparatus that applies the
action under the appropriate conditions. The enforcer could be static, e.g., toll
restrictions on particular stations, router access control lists, and authentication
servers are examples of static enforcers. The allocation model may change with
time of day and day of week and with the class of service assigned to users. For
example, if the board of directors is having a video conference, its packets have a
higher priority than a desktop video conference between two engineers.
Effective policy adapts to the needs of the moment. Acompany might choose
to throttle Web access during peak hours, but allow it at other hours if the load
permits. This requires some method of monitoring the traffic flow and taking
remedial action if it falls outside objective bounds. For example, time-sensitive
UDP packets must take precedence over TCP packets. They can be identified easily
enough and prioritized with DiffServ and the path resources can be reserved
with RSVP, but whether they should be is a different question. If the network is
capable of rolling voice traffic over to the PSTN at peak usage times, this may have
564 PART 5 Telecommunications Networks
a less detrimental impact on the organization than, say, delaying HTTP traffic. The
difficulty is how the network manager makes this determination, especially in an
environment that changes dynamically.
Policy is unique to each organization and presupposes the availability of
information and capability of control that are often beyond human capacity.
A rough policy of sorts can be built with a firewall and router, but a policy-based
network requires a policy server, which is a specialized device that monitors data
flow and administers management’s policies. The server is probably linked to an
LDAP directory to assist in identifying users who may require priority treatment.
Policy standards are primitive today and largely proprietary. Consequently,
the multivendor network may be impossible to manage end-to-end. The solution
for many companies is to keep increasing bandwidth to the point that policy management
is not needed. Moreover, effective policy administration presupposes
that someone has a thorough understanding of everyone’s needs and knows how
to translate them into computer code. The policy server gives troubleshooters yet
another place to look when things go wrong. For example, a complaint about slow
response time could result from a policy that reserves a substantial part of the network’s
bandwidth for a scheduled video conference. These issues will be resolved
as designers and managers gain more experience, but in the meantime, policybased
networking is more vision than actuality.
Future Compatibility
Network products and services are changing so rapidly that it is difficult to be
sure the current design will be compatible with the future shape of the network.
Voice and video over IP will be an important part of many networks in the future.
Services that demand high bandwidth are here now and will grow. Some will
have a strong impact and others may fizzle. The key to designing a network is to
remain flexible—not locked into a single technology that will limit the organization’s
ability to follow the shifting telecommunications environment.
Vendor Independence
In the past, network managers relied on a single vendor for the mainframe computer
and the network components. Having a single vendor to hold responsible
for network performance is comforting, but not practical for most networks now
that servers have replaced central computers. Network designers must determine
whether standards are open enough to remain free of proprietary equipment
and protocols. Many network components such as NICs, servers, and Ethernet
switches are effectively commodities that can be purchased from almost anyone,
but the greater the degree of vendor independence, the more the reliance of the
enterprise on internal resources. The need for policy management and a network
management system often precludes vendor independence. On the other hand,
no vendor has a monopoly on technology, and niche players are more apt to have
better prices or superior performance in one family of products because their
developmental efforts are more concentrated.
Network Management Issues
Chapter 39 discusses principles of testing and managing networks. The hierarchical
networks of the past had a significant advantage over the peer-to-peer networks
of the present and future: they were easier to manage. Vendor-specific
network management products make it possible to look into components and
diagnose and sometimes clear trouble. As the network becomes multivendor,
these management capabilities diminish.
Network Planning
Many managers today face a dilemma. Control of computing budgets is moving
from the MIS department to the end users. Users purchase computers and wireless
equipment today as they purchased office machines in the past: they are justified
on an individual basis and the network manager may lack control over the
applications. Organizations that have control over equipment standards are in the
best position to plan the network. If the information in desktop devices is of any
value, someone must also plan for such factors as security, regular data backup,
and network capacity.
ENTERPRISE NETWORK APPLICATION ISSUES
With the trend toward obtaining digital circuits in bulk, as either full or fractional
T1/E1, the most cost-effective networks are those that integrate different applications
at the circuit level. Effective network convergence requires a systematic
planning approach to choose which of the many alternatives are to be employed.
Developing a network generally involves the following:
Identify the applications. Present and future applications including voice,
data, video, facsimile, imaging, and all other foreseeable communications
services should be identified. It is not enough to consider only
present applications. Knowledge of future plans and expected growth
is essential.
Identify locations to serve. The geographic location of all points on the
network must be identified along with the makeup of the users at that
location and their potential demands on the network.
Determine traffic volume. The amount of traffic, both terminating and
originating, should be identified at each location. Determine the volume,
type, and length of data transactions. Determine the quantity of voice
traffic from sources such as common-carrier bills, traffic usage recorders,
and call-accounting systems. Identify both on-net and off-net traffic.
It is useful to create a matrix of traffic flows between locations.
Determine network type. Each application will have an optimum network
type to support it. Short-range, high-speed data applications are served
by LANs. Routers and remote bridges can link geographically dispersed
LANs with a common interest. Companies with large amounts of intracompany
voice traffic should consider a voice VPN. Companies with
multiple remote offices can consider a data VPN.
Develop network topology. The topology of the network is based on the
applications. Costs of alternative transmission methods are calculated,
and where the volume and cost of traffic are enough to justify private
circuits or a public network such as a virtual network, these are added
to the design. Optimize the design by trying different combinations of
circuits and by selecting alternative concentration points.
Develop security measures. The network must be secure from unauthorized
access. Develop plans to secure it physically and to prevent
unwanted access. Where the public Internet is involved for private
intranet and extranet communications, encryption and authentication
are necessary.
Determine how the network will be managed. Most networks use SNMP and
a proprietary network management system to oversee the network. See
Chapter 39 for further information on selecting and applying a network
management system.
No comments:
Post a Comment