Evaluating Technical Environment and Goals
Evaluate the company's existing and planned technical environment and goals.
Before beginning your network infrastructure design, you must be able to determine three things:
What does the customer do with its existing network infrastructure?
What does the customer want to do with the network infrastructure?
What is the gap between the current infrastructure and the desired infrastructure?
Answering these questions is called performing a gap analysis.
A gap analysis is useful in determining what steps will need to be performed to improve the existing network infrastructure. The gap between the existing environment and the environmental goals proposed by company management will form the basis of your network infrastructure design and will help you decide which Windows 2000 features will need to be included in your design.
The first step in your gap analysis is to assess the state of the current network infrastructure. The areas to examine, and the processes for doing so, are covered in the next several sections.
Analyze Company Size and User and Resource Distribution
Examine the company size. How many users will the network infrastructure need to support? 100? 1,000? 10,000? Make sure that you consider whether the company plans to extend its infrastructure to be used by its vendors and partners. If so, determine how many users from the vendors' and partners' networks will be accessing the new network infrastructure. Make sure that you have an accurate assessment of the various user populations so that you can design for performance, reliability, and scalability, in accordance with the real demand for network services.
In addition to the user population total, you should look closely at the distribution of these users. Are they all in one building or on one campus? Are they spread out across multiple locations? Are those locations spread out across the country or around the world?
You will have different considerations depending on the distribution of the user population. If all the users are in one building, you are basically designing a LAN infrastructure. If they occupy multiple buildings within a single campus, you are working with a design known as a CAN, or campus area network. In this type of network, you must deal with the additional complexity of connecting the buildings within the campus, in addition to the individual client computers within each building.
If the population is more widely distributed, you must also include a design for WAN services in your overall infrastructure design. Each of the company sites will have its client computers connected to a LAN, and each of the LANs will be connected in some way to the WAN.
Some of the users in the total user population might be mobile users who need to access the network infrastructure from remote sites that change frequently. In this case, you will want to build in support for either the traditional RAS services or the newer VPN services in your network infrastructure design. The use of VPN services implies that some sort of Internet connectivity will be required, so you must include that connectivity in your design as well.
Once you have assessed the user population and the distribution of those users, you will need to examine the distribution of network resources on the existing infrastructure. Are the resources centrally located? Are the resources stored physically near segments of the user population that uses them most? Are all users afforded adequate access to all the network resources they require?
As you examine the existing distribution of resources and compare that to the distribution of users, you should attempt to determine if the current infrastructure is adequate. This will help you decide whether you can use the existing infrastructure as a model for the new one, or whether you must discard the layout of the existing infrastructure and design a new infrastructure from scratch.
After you've developed a clear understanding of the existing user and resource distribution, you must then work with company management to develop an understanding of their future plans. How large will the company grow? What new resources will be added? How will the distribution of users and resources change? Try to identify the differences between the existing state and the proposed future state so that you can craft your infrastructure design accordingly.
Assessing Available Connectivity
If you are working on a design for a network that is geographically distributed, you will need to become familiar with the connectivity that is available to each location. If the site is already connected to the current infrastructure, examine its current connectivity. Is it adequate? Does it meet the company's goals in terms of cost, performance, and scalability? What other options are available? You might need to check with the provider of the connectivity you are examining if it is in the form of some kind of leased line. If the connectivity is provided through Plain Old Telephone Service (POTS), you might want to inquire whether an alternative means of connecting is available. In some mountainous or rural areas, connectivity options, including POTS, might be limited.
If the location you are examining is a new one, or if it is not connected to the existing infrastructure for some other reason, you will need to investigate the connectivity options available in that area. Remember that connectivity concerns include both ends of the link. You must determine the connectivity options that are common to both the remote site and the central site that it will connect to (if, indeed, you are connecting to a central site). Different connectivity models require different approaches. Two typical connectivity models are the hub and spoke model and the mesh model.
In a hub and spoke network, one sitethe hubis selected as a central point of communication, and all other sites connect to it. The links from the remote sites to the hub sites are the spokes, resembling the spokes of a wagon wheel. Figure 2.1 depicts a hub and spoke network.
Figure 2.1 In a hub and spoke network topology, remote sites all connect to a central site, usually the corporate headquarters.
A mesh network, on the other hand, has no central point of communication. There is no hub. Instead, each location is connected to several other locations. A mesh network can be either fully meshed or partially meshed. In a fully meshed network, each site is connected to every other site. Figure 2.2 depicts a fully meshed network.
Figure 2.2 In a fully meshed network topology, all sites connect to all other sites.
In a partially meshed network, one or more sites are connected to every other site. However, other sites on the network are not connected to every other site; some sites might be connected to only one other site, or to several sites. Figure 2.3 shows a network that is partially meshed.
Figure 2.3 In a partially meshed network topology, some sites connect to every other site on the network, and other sites are not connected to every other site.
Once you have determined which model you want to use, you can investigate the connectivity that is available for each proposed link in the network design. After you determine the available options, you can decide which options provide the required level of connectivity with respect to cost, performance, scalability, and reliability.
Assessing Bandwidth and Latency
A major factor in designing connectivity throughout the network infrastructure is bandwidth. Bandwidth is the measure of the amount of data that a network link can carry at any given time. Bandwidth is typically measured in bits per second (bps), or some multiple of bps. Typical multiples are kilobits per second (Kbps) and megabits per second (Mbps). A standard Ethernet network can carry 10Mbps of data, so its potential available bandwidth is also 10Mbps. Fast Ethernet offers 100Mbps of potential bandwidth. A T-1 leased line offers 1.544Mbps of bandwidth, compared to a typical modem connection across POTS lines, which can offer only a theoretical 56Kbps (in actual practice, less than 53Kbps).
These topologies offer potential bandwidth. I say potential bandwidth because, depending on the topology and the type of use to which the link is put, the actual amount of data that can cross the link will vary. The actual amount of data that crosses a link is called the throughput of the link. Throughput can be measured overall or on a per-user basis. When you measure throughput on a per-user basis, you are typically only concerned with user data that crosses the network link. Many other types of data will occupy the network link at any given time. This data uses up a portion of the potential bandwidth.
Other data that might occupy the network link includes control information necessary to maintain the link itself, and broadcast or multicast information put on the network by devices that offer network services. For example, file servers and print servers often broadcast across the network. Routers exchange routing protocol information with each other in order to provide network services. Bridges exchange Bridge Protocol Data Units (BPDUs) with each other. All of this data crosses the network link and uses the same bandwidth that might be available for user data. The amount of bandwidth left over for user data, after subtracting all the bandwidth used by other kinds of data, is referred to as net available bandwidth.
You need to assess the net available bandwidth on all network links. This will determine if the links can meet the company's performance requirements.
A related factor that affects throughput is latency. Latency refers to the amount of time between the moment when a network station sends the first data packet and the moment when the transmission of that packet is completed successfully. Average latency is sometimes also called propagation delay. Applications often have limited tolerance for latency. Increases in network latency can be the cause of application timeouts and consequently loss of functionality and increased downtime. Your network infrastructure design should be created with every effort to minimize latency.
Increases in latency often point to a network link that is overutilized and unable to meet the demands placed on it. When analyzing network links over extended periods of time, note any periods where dramatic increases in latency accompany increases in utilization. If these periods occur frequently, the link might be overutilized and will need to be improved in your new design.
How do you measure bandwidth and latency? Use a network protocol analyzer. Many protocol analyzers, such as Network Associates' Sniffer or Microsoft's Network Monitor, allow you to gather network bandwidth, utilization, and latency statistics. Some products produce charts from data collected over a long period of time. The charts are created from data that is collected by taking a "snapshot" of the traffic on the network and analyzing the traffic. Snapshots are taken at specific intervals. Most protocol analyzers allow you to specify the interval at which snapshots are taken. Depending on the interval at which the snapshots are taken, the charts can tell you different things.
For example, a network utilization chart with snapshots taken every 60 seconds will give you lists of details about those times when the network is most heavily utilized. The same chart on the same network link with snapshots taken every 60 minutes will probably not give you the same impression of the link's utilization. With longer snapshot intervals, peaks in utilization tend to get averaged out.
Performance, Scalability, and Availability
Three terms you will hear often are performance, scalability, and availability. When you design network infrastructures, these will usually be your primary concerns. Often the issues surrounding performance, scalability, and availability will be a higher priority than cost. It can also be said that keeping performance, scalability, and availability as high as possible while keeping cost as low as possible is the most difficult challenge a network designer faces. You will face this challenge on nearly every design project you undertake.
Let's define the three terms:
Performance. The ability of the network infrastructure to effectively and efficiently meet the demands for network services.
Scalability. The ability of the network infrastructure to expand or contract in accordance with the demand for network services.
Availability. The percentage of time that the network infrastructure is up and running and available for use.
Performance is often a very subjective term. Appraisals of performance will vary from user to user. It is good to gather anecdotal evidence of a network infrastructure's performance to gain an understanding of the customer's position on the performance of its existing infrastructure. You will also want to collect some more concrete evidence by taking some measurements. A protocol analyzer is a good tool for this.
You will want to measure the utilization of each network link. Utilization is the measure of the amount of bandwidth actually used by all the network services traversing the link in a given period of time. In addition to utilization, you will want to examine the latency on the roundtrip time of network requests sent from client computers to servers hosting network resources and back again. You will need to collect this information over an extended period of time to make sure that you can see how the network meets its demand at various times. Demand for network services increases and decreases at various times of the day, so you will want to make sure you have collected data from all of the times when the demands on the network are high.
In addition to utilization, response time, and delay, you will want to quantify the following:
Capacity. The total amount of data that the link might carry.
Throughput. The actual amount of data that successfully crosses the network.
Accuracy. The rate of error-free data transmissions compared to total transmissions.
Efficiency. The rate of data throughput relative to the transmission overheard to achieve that throughput.
Once you have data reflecting the actual performance of the existing network infrastructure, you can assess the changes and improvements that must be made in your new network infrastructure design.
In some cases, you will have specific performance levels that must be met. Sometimes, applications developers will provide data that outlines the network performance levels that must be met in order for their applications to function properly. If you have collected accurate data on your own, it will be easy to identify areas where improvements must be made. In some cases, you might identify areas in the existing infrastructure where the available resources grossly exceed the demands placed on them. Armed with specific performance requirements, you might find that you can reduce the resources expended in these areas and save a substantial amount of money while continuing to meet the demand for network resources.
Be careful, however, that you do not sacrifice scalability. Once you have investigated the company's future growth plans and have examined the company's past growth trends, you will be able to calculate the room for expansion that you will need to design into the network infrastructure. Make sure that you design your network infrastructure with enough capacity to handle an unexpected increase in network demand, and that you give your network the ability to be adapted to support any future plans for increases in the number of users, sites, or network services.
Finally, consider the availability requirements for the network infrastructure and the services that rely on it. For example, in a medical environment, the systems that are used to monitor the patient's health must be available all the time. Loss of availability for these devices can have dire consequences. Likewise, in a financial transaction environment, network services must be readily available. Loss of functionality of a network component or service could result in transactions being lost or processed incorrectly. This could have very costly ramifications.
Availability is most often represented as a percentage with two decimal points of accuracy. For example, a typical availability goal might be 99.95 percent. If this is the goal, you are saying that in a given week the network can experience downtime only .05 percent of the time. One week has 168 hours (24 hoursx7 days), or 10,080 minutes. To calculate the acceptable downtime per week, multiply the number of minutes in one week by the acceptable downtime percentage (10,080x.0005). The result is about 5 minutes. Compare this to an availability rate of 99.50 percent, which allows for nearly one hour of downtime per week. This would be totally unacceptable in most enterprises. A limit of 5 minutes of downtime per week will probably be an acceptable availability goal for company management, but it might be a lofty goal for network engineers. Nevertheless, if the company specifies an availability goal of 99.95 percent, you must create your design to provide for this availability.
When you consider the purchase of network hardware to implement your design, you might see that the manufacturer expresses the availability of its products using the following terms:
Mean Time Between Failure (MTBF). The average amount of time that a device operates properly before a malfunction occurs.
Mean Time To Repair (MTTR). The average time that it takes to repair a device and restore it to proper operation once a malfunction has occurred.
You will want to make sure that the devices included in your design specify a very high MTBF and a very low MTTR. Keep in mind that averages give little indication of the amount of variance in the data. Devices could frequently fail at intervals much shorter than the mean. Also, devices could take considerably more time to repair than the mean.
Data and System Access
In order to gain a complete understanding of the real demands that are placed on a network, you will need to examine how the end users use the network to access its systems and the data that is stored on them. Observing the data and system access patterns will help you determine the times and locations where the most stress is placed on the network. You will need to make sure that your network infrastructure design can support the demands that will be placed on it. You might also want to identify network access patterns that are inappropriate or inefficient and make company management aware of them before creating your design. If you can show management that money can be saved and productivity can be increased by changing an existing data or system access pattern, you might be able to simplify your network infrastructure design.
Some data and system access patterns are typical in most enterprises. For example, you might find that network traffic increases dramatically and the impact on authentication servers is most severe early in the morning. This is the time when most company employees are arriving for work and logging in to their computers.
If the company is integrating its network infrastructure with that of its partners, suppliers, or clients, you might find that you cannot accurately predict data and systems access without analyzing the behavior and interaction of the partners, suppliers, and clients, and how they make use of the company's network. If the company does business over the Internet or operates 24 hours a day, 7 days a week, you will need to examine the data and system access patterns that occur throughout the day. You will most likely need to examine these patterns over the course of a number of days to get a complete and accurate picture of the real demand for network services within the organization.
Network Roles and Responsibilities
Network roles and responsibilities are all about the systems performing server roles on the network. Each server has a role to play and a service to provide. Many of the individual services will be discussed later in this section, but this section focuses on the role of servers in the infrastructure itself. These include the following:
Global catalog servers. This server is used to search a subset of the Active Directory in the local site and to help users locate a login server. It is a special version of a domain controller. Without this service on the network, users could have problems logging on, and remote searches of the active directory would take longer because they would need to traverse the WAN.
Name servers. This is required to resolve computer names to IP addresses and to locate infrastructure services, such as the global catalog and Kerberos (authentication) servers on the network. These may be DNS, WINS, HOST files, LMHOST files, or the preferred method in Windows 2000, Dynamic DNS.
Domain controllers. These are required for the purposes of logging into the domain. Domain controllers also contain a replica of the Active Directory that holds the dynamic DNS databases as well as everything else that the Active Directory stores and provides.
Security servers. These include PK servers for Kerberos authentication and RADIUS servers for Internet standard remote access authentication.
DHCP servers. These servers perform the functions of assigning IP addresses to clients and registering the clients' host names with the dynamic DNS service.
Remote access servers. Whether this is traditional dial-in RAS, VPN, RRAS, or Terminal Services, this is a critical role for remote users. These servers provide connectivity over various types of third-party networks, such as the Internet, PSTN, ISDN, and other types of leased bandwidth for remote sites and users.
Operations masters. These special domain controllers are unique to the domain in that one of each type of master must exist somewhere in the domain or forest it belongs to. There is much more information on operations masters in Windows 2000 Directory Services Design by Scott Archer (New Riders Publishing, ISBN 0735709831).
These operational roles include the schema master, domain naming master, relative identifier master, primary domain controller emulator, and infrastructure master.
File and print servers. As the most common and most basic server role, these servers provide the vast majority of resources to users through shared files and network-enabled printers.
Application servers. These servers are second only to file and print servers in terms of providing resources to end users. These can include service roles as email servers, Web servers, database servers, and a host of other third-party applications.
As you can see, there are many possible server roles, but the bottom line is that they provide the medium in which users may collaborate. Some of these provide the infrastructure across which the users can communicate securely, and others provide the group resources for the four basic categories of computing: input, processing, storage, and output.
Security considerations are numerous when you're creating a new network infrastructure design. In fact, the issues surrounding network security are so numerous that, if you give them too much consideration, you might never get your design project off the ground. One way to simplify matters somewhat, and to keep security concerns in their proper perspective, is to evaluate the existing security measures against the business goals. Try to determine if the existing approach to network security has been effective, and whether it helps facilitate the company's goals or hinders them. If the security measures currently in place have not been effective, you'll need to examine the areas in which there were failures in order to develop new strategies to enhance security in those areas. Keep in mind that as tighter security procedures are put into place, the network becomes proportionally less flexible.
Some of the areas that you will want to examine when evaluating the current security measures are described in the following sections.
Examine the physical location of all devices that are connected to the network, as well as the locations of the wiring and other components that make up the physical network. Look at the placement of desktop computers, file servers, hubs, switches, and routers, and ask the following questions:
Are the computers accessible only to those authorized to do so?
Are the infrastructure components (hubs, switches, routers) kept in secure areas with access controlled in some way?
Is there any way to track who has access to these devices and when they have used that access?
Are there measures in place to prevent someone from removing computers or other devices from the company premises?
The answers to these questions will help you determine whether the physical security that is currently in place is effective. Desktop computers are typically an issue when it comes to physical security. Usually, there is little to stop someone from simply walking up to a desk and using the computer that is located there. For this reason, desktop computers should have access controlled by password to ensure that the person who uses a desktop computer is the person intended to do so.
File servers should be kept in a room dedicated to storing these devices. They should be kept in a climate-controlled environment where physical access is controlled. A typical datacenter where file servers are housed will have a raised floor, an industrial air conditioner, and some kind of access control method. This method might be as simple as a locking doorknob (where few people have keys), or it might be something very complicated (with keycards, fingerprint readers, or retinal scanners). The access control method used is often determined by the level of risk associated with unauthorized access to the datacenter, as well as the budget available for security. Regardless of the selected method, the main objective is to allow access to the datacenter only to those who are authorized for such access. An added benefit of some access control methods is a record of who is accessing the datacenter and when they access it.
Network infrastructure devices should also be kept behind locked doors, but they are often distributed across an enterprise due to the function they perform. These devices should be stored in wiring closets with access controlled by a method similar to that used to control access to the datacenter.
There should also be a procedure in place to prevent someone from simply carrying computer equipment off company premises. Often, sensitive data is stored on company computers. Given the trend in the technology age to provide as much information as possible to employees, the likelihood that sensitive company information could be found on a desktop or laptop computer is high. You might not be able to have much impact on company plans to take steps such as hiring security guards to inspect bags and packages as they enter and leave the building, but you can probably make a few suggestions. For example, desktop computers can be attached to the furniture in the offices by some kind of security cable. Many such cables are available for this purpose. Using such a cable, the PC is locked down to a permanent or semipermanent fixture so that it cannot be simply carried off. Laptop computers can be adapted to support these security cables as well, and rightly so. The highly portable nature of laptops makes them a prime target for theft.
Internal Access Security
Another area to examine when evaluating the existing security measures is internal network security. This defines the access to network resources that is granted to the company's own employees, as well as to contractors performing work for the company inside company facilities. In many company network environments, it is common to grant different levels of access to systems and data based on the responsibilities and job functions of the employees who are granted access. For example, senior-level executives are granted much greater access to company financial information than receptionists. The company Chief Financial Officer would be granted even greater access. Another example is the levels of access granted to the company email system. Each end user is granted complete control over his or her own mailbox but must not be granted any access to other employees' mailboxes. An exception to this might be secretaries who must access the mailboxes of their managers or email administrators who must have access to all the users' mailboxes.
When evaluating existing internal access security, ask the following questions:
What are the administrative levels at which employees are granted different levels of system and data access?
What are the procedures for determining and granting an appropriate access level to each employee?
What procedures exist to determine if an employee has been granted greater access than is appropriate?
What procedures are in place to determine successful and unsuccessful attempts to exercise inappropriate access levels?
You will need to determine the various levels of access that must be granted and ensure that your design supports these levels of access. You should also attempt to build methods for auditing access events and administrative alerts into your network infrastructure design wherever possible.
External Access Security
Perhaps the most popular perspective on network security is one that focuses on external access. Although internal security threats are more dangerous and more likely to succeed (as we have already discussed), protecting your internal systems and data from hackers on the outside is a notion that gets a lot of attention in the press these days. Remember, just because you're paranoid doesn't mean that they aren't really out to get you! The threat of system compromise from outside the organization is very real, so you should take appropriate precautions wherever your internal network borders the outside world. Areas of concern include the following:
Connections to public carriers
Connections to external networks owned by partners, suppliers, or clients
Anywhere that an outside user could potentially access the company's internal network is an area that must be protected. One example is a RAS server, where users connect to the company's internal network by dialing in from remote locations with modems. Care should be taken that the phone numbers associated with the modems on the RAS server do not become public knowledge. This might not be enough, however. Outsiders might use programs called war dialers that automate the task of calling hundreds of combinations of phone numbers, looking for a modem to answer. When a modem does answer, the phone number is logged for future break-in attempts.
A further step to secure dial-in servers is to configure them to automatically hang up and call the user back at a predetermined number. If an unauthorized user attempts to connect and break in using a valid user ID, the system will hang up and call the phone number that is associated with the valid user ID. In this way, an unauthorized user cannot access the network through the dial-in server unless he does so from the home of an authorized company employee.
Another example is a Web server that must be accessed by both internal employees and external customers over the Internet. In order to avoid increased costs for traffic over the company's Internet connection, it is common to connect such a server to the internal company network as well as to the Internet. In this way, internal employee traffic to the server is not first sent out over the company's connection to the Internet, only to return over that same connection to the internal network. Figure 2.4 depicts this scenario.
Figure 2.4 Company Web servers are often connected to the company's internal network as well as to the Internet.
The danger in this situation is that any server that is connected to both the internal network and an external network could be used as a "bridge" between the two networks. An unauthorized user might use this bridge to gain access to the internal network from the outside.
In situations such as this, it is common to build what is known as a demilitarized zone (DMZ). The DMZ is an area of your network that is connected to the outside world (the Internet) as well as to your internal network. A device known as a firewall protects the connection to each network. The firewall is used to filter out traffic that is undesirable, preventing unauthorized access to the internal network from the Internet and preventing access from the Internet to the Web server for any service other than World Wide Web files (http access).
More Information on TCP/IP
For more information on TCP/IP in general and TCP/UDP ports specifically, refer to MCSE Training Guide: TCP/IP, Second Edition (New Riders Publishing, ISBN 1562059203).
Web servers are not the only servers that might find themselves placed in a DMZ. Examples of other servers that are commonly placed in a DMZ are SMTP servers, which handle Internet email, and FTP servers, which allow file transfer to or from the server. Each of these servers offers its services over a particular TCP/IP channel, called a port.
The firewall on the Internet side of the servers is configured to allow only traffic intended for those servers and ports to access the DMZ. The firewall on the other side of the servers is configured to prevent all traffic from the Internet from entering the internal network. Figure 2.5 depicts a DMZ.
Figure 2.5 A DMZ is an area of the company network that is connected to the Internet as well as to the internal network. The connection to each network is protected by a firewall.
Firewalls and DMZs are also useful tactics to employ in scenarios where the company's internal network will be connected to that of its partners, suppliers, and/or clients. As you examine the existing approach to external access security, you might find these strategies already in place. If not, you will need to ask the following questions:
Where is the internal network potentially vulnerable to unauthorized outside access?
What methods have been employed to prevent unauthorized access in these areas?
What methods are in place to identify unauthorized access attempts and to alert the appropriate people?
What methods are in place to identify the source of unauthorized access attempts?
The answers to these questions will help you identify weak areas in the existing security approach and ensure that your network infrastructure design has adequate security built into it.
This part of the chapter discussed many areas of a solid technical assessment. This is the first step in understanding the company's technical environment and providing a foundation for technical design. A technical assessment analyzes several factors in both the premigration environment and post-migration goals. These factors include company size and the geographical distribution of its users; distribution and administration (centralized versus decentralized) of network resources; and analyzing the available connectivity via LAN, WAN, and remote access. Also included are concerns about the network bandwidth of that LAN/WAN/RAS connectivity, its scalability and availability, and how data and network systems are accessed. Finally, we discussed network roles and how security affects these systems. This brings us to the next part of the chapter, where we will review the physical structure of a network in more detail and analyze the impact that various devices and services have on the network.