1. Trang chủ
  2. » Công Nghệ Thông Tin

Tài liệu Optimizing Your Network on a Budget doc

16 329 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 16
Dung lượng 191,15 KB

Nội dung

Optimizing Your Network on a Budget 1-800-COURSES www.globalknowledge.com Expert Reference Series of White Papers Introduction The purpose of this paper is to define the issues related to optimizing an enterprise network, identify several new network technologies related to networking, and draw some conclusions on how best to satisfy the requirements defined. The paper uses the following format: 1. Definition of roles and examples of the relationship of corporate objectives and goals to network tech- nology and optimization 2. Mission-critical network technology examples 3. Importance of staffing and technical certifications in network optimization, compared to out-sourcing, and use of consultants for each technology example 4. Role of a training provider in network optimization for an enterprise with a limited training budget The role of an Information Technology (IT) Manager in an enterprise is to implement and maintain systems and procedures to support the operational processes and strategic initiatives of the enterprise. One of the most important (and costly) of the managed systems is the enterprise network, including the enterprise cam- pus network, the enterprise edge , the service provider edge, and all the equipment and topologies that define the network infrastructure. There are several forces that drive the process: 1. The enterprise develops new strategic initiatives that require the implementation of new technology 2. New technology is developed that offers an opportunity to lower costs, increase efficiency, or develop new strategic initiatives 3. Growth, sometimes complicated by acquisitions, may occur 4. Changes in operational processes (such as manufacturing or accounting) may require a change in IT technology or networking 5. Network solutions provided by network equipment and service providers change and evolve. For exam- ple, Service-Oriented Network Architectures (SONA) is one of the latest approaches If numbers one and two look a bit like the classic "chicken and egg" dilemma, they are. It is never certain whether a business strategy drove a technology, or a technology drove a new business strategy. Luckily, the IT Raymond B. Dooley, CEO, International Communications Management, Inc., CCNP, CCDP, and CCSI Optimizing Your Network on a Budget Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 2 m anager does not have to solve this problem; instead, he implements the requirements and solutions created by the new development. All of this involves network optimization. Network optimization is implementing technology and service to provide the most efficient network service to all users, meet all the organizational goals of the enterprise, and minimize costs. It is much easier to define than implement. It has numerous components: 1. Create and update a comprehensive network plan and design, starting with an accurate baseline of existing systems. 2. Implement new systems to meet new strategic initiatives without any network outages before, during, or after implementation. 3. Evaluate new technologies and network architectures (solutions), such as SONA, to determine if they will contribute to network optimization. 4. Utilize all available features of network equipment and services to support high availability networking, security, network management, and quality of service. 5. Prevent network outages. This will include a network design for high availability and a comprehensive network management system. Insure that the operating systems and other software for all network devices are installed and maintained based on a compatibility standard to avoid costly version and fea- ture mismatches. 6. Provide network security for the enterprise. 7. Recruit and train a staff to implement steps 1 – 6, troubleshoot, and maintain the optimized network. Use of outsourcing, consultants, and the technical level of the network staff must be analyzed and com- pared based on networking objectives versus cost. A CEO of a Fortune 100 Company once said (paraphrased), "I consider Information Technology to be a weapon in the battle to win global market share." While a firm believer in corporate missions and vision statements, the CEO thought that an enterprise achieved success by following no more than four simply stated strategic initia- tives. An IT or network manager in the various corporate divisions was required to understand these initiatives, how to implement the systems to support them, and how to optimize the network for them. T his had to be done at the lowest possible cost, because lowering costs was always one of the initiatives. Using various methods, most enterprises work the same way. All CEOs may not be as successful in articulating the requirements as this one was, but the idea is the same: creating identical challenges for IT and network managers. T he implementation of Automatic T eller Machines (A TMs) in the banking industry is a classic example of the impact of a new strategy on technology , and it provides a lead-in to a description of new network technolo - gies and the importance of network optimization. In the early 1970s, a bank or banker (no one knows who had the idea first) visualized a machine that would provide banking services separate from a teller window. The vision included machines in non-traditional locations, 24-hour banking, and added services. Of course, these are things taken for granted today. Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 3 T he challenge to implementing the new idea was that none of the requirements already defined for the IT and network managers in the previous paragraphs were met. 1. The banking industry could not agree on the location and contents of the magnetic stripe on the bank card. 2. There were no technology or network standards for ATMs; it was all vendor-driven. 3. The networks were optimized for IBM mainframe-to-terminal communications. The network managers were not consulted about the idea of ATMs and how to attach them to the corporate network. 4. The ATM machines contained a mini-computer that could only be networked with low-speed asynchro- nous communications protocols, which were incompatible with the mainframe and the existing net- work. However, the mainframe had to "talk" to the ATMs for them to work properly. T his is not a short story, but a saga, greatly shortened. During five years of trial and error, costing millions of dollars and countless man-hours, the ATM strategy was a total loser. The cost to implement, maintain, and net- work the machines was far greater than the revenue. The Return on Investment (ROI) was a large negative number . One banking executive w as quoted, "If I could, I would take every ATM machine out, but I cannot because the other banks will leave them in, and I won't be competitive." This statement sums up why the banks continued to pour millions of dollars into this project. The war for market share dictated it. Not surprisingly, the vision and strategy was valid. Once the banking customers accepted the ATMs and actual- ly began to prefer them over going into the bank during banking hours, the banks were able to cut the teller force up to 70 percent and the ROI shot up dramatically . If today’s managers were able to go back and use modern IT and network management techniques for the project, most of the errors and much of the cost could have been avoided by proper planning and deployment of IT and network technology. However, this is a smug view. The author was involved in the implementation of ATM machines and will verify that all of the techniques available at the time were utilized. From today's view, those techniques seem archaic and costly. The question any IT or network manager must consider is, "Are the techniques and technologies in place for the network suitable to handle a completely new corporate strategic initiative?" In other words, is there an ATM-like project in the future for this enterprise? And if so, can it be implemented and optimized at the lowest possible cost? T he previous example is a description of actual events. Several years from now, similar business cases will be written about network technologies that are emerging now, such as IP telephony, wireless, and virtual private networks (VPNs) related to new developments such as medical multi-media, and virtualization of business and technology functions (SONA). Modern solutions are based on the idea that hardware, software, and network applications are “built-in” to network technologies and can then be implemented (turned on) as needed. It is important for IT and network managers of today to avoid the technology traps shown by the banking example . One point becomes paramount from the information presented so far. Optimization and cost are two of the most important items for a network manager to consider. Before any conclusions are made about the best ways to meet optimization and cost requirements, several new and important network technologies must be described. Each of these technologies could have an impact on optimization, costs , or both. The first issue is determining if the technology is appropriate to meet the objectives of the enterprise , and the second is having Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 4 t he expertise to properly plan, design, and implement the new technology into the existing network. The fol- lowing technologies will be considered: 1. Security 2. Virtual Private Networks (VPNs) 3. IP telephony and Quality of Service (QoS) 4. Wireless networking 5. IP Multicasting and IPv6 Many additional technologies such as high-availability networking, content networking, and storage network- ing could also be included, but this paper would become a textbook—much too long. Security If the CEO of Boeing Company were asked what the financial loss associated with Airbus obtaining the design plans for Boeing's newest airplane would be, he would respond with a number in the billions of dollars, proba- bly over $100 billion. The next issue would be the odds of such a break-in: 1,000 to 1; 10,000 to 1; 100,000 to 1; or 1,000,000 to 1? The amount of corporate resources and budget allocated to security should be directly related to the value of the loss and the probability. If it is not, the corporate security policy is lacking. There is consensus that the one best practice in designing and implementing network security is first to define a security policy. This is based on the idea that money allocated for security in the network will be wasted if the system is not optimized. This will be explored further in the certification and training section. There are sev- eral parts to a security policy: 1. Corporate Information a. Identify assets b. Assess risk c. Identify areas of protection d. Define responsibilities 2. Network Access Control Policy 3. Acceptable Use Policy 4. Security Management Policy 5. Incident-Handling Policy Cisco’ s Security Architecture for Enterprise (SAFE) defines four steps in their security wheel after the security policy has been defined: 1. Secure 2. Monitor 3. Test 4. Improve Two elements of network security will be explored: firewalls and intrusion detection/prevention. Neither of these is new , but there are new features and capabilities being introduced regularly. Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 5 The first step of the network implementation consists of four parts: user and data authentication; encryption; vulnerability patching; and firewalling. Firewalling includes three primary functions: user authentication, denial of service (DoS) prevention, and packet filtering. A good number of firewalling solutions offload the user authentication to specialized servers called Authentication, Authorization, and Accounting (AAA). The DoS pre- vention is offloaded to specialized solutions for Intrusion Detection Service (IDS) or Intrusion Prevention Service (IPS). Firewall devices then specialize in filtering network traffic to allow only valid packets to cross firewall interfaces. The firewall hardware is located between the outside filter (the router connected to the Internet) and the inside filter (the router connected to the enterprise campus). One type of firewall interface is untrusted (a De- militarized Zone - DMZ), connected to such devices as web servers, DNS servers, E-mail servers, VPN concentra- tors, or access servers (for dial-up users), and the connection to the Internet. Trusted interfaces are connected either to the enterprise campus, or with application and database servers associated with the web servers on the non-trusted interface. In a network design, the systems described in this paragraph are called the Internet Connectivity Module and the E-Commerce Module. A firewall system should support: 1. Packet filtering (main job) 2. Network Address Translation 3. Fail-over and hot standby 4. AAA—Authentication, Authorization, and Accounting (usually offloaded) 5. Virtual Private Networks—VPNs may terminate on the firewall as one option) One major security vendor, Cisco Systems, has offered the Private Exchange (PIX) firewall system for many years. It includes: 1. Finesse operating system 2. Adaptive security algorithm 3. Cut-through proxy operation 4. Stateful fail-over and hot standby 5. Translations 6. Access control 7. Object grouping 8. Attack guards and intrusion detection 9. AAA 10. VPNs 11. PIX device manager The cost of firewalls varies widely, depending on the size and complexity of the design, and the speed and number of firewall interfaces required and the size of the network. In addition, the cost must be weighed against the cost of a major break-in. As a manager is optimizing the network for an enterprise, he should be aw are of the present level of network security threats , have a v alid security policy, and implement the latest solutions. As a philosopher once said, “The devil is in the details,” and it has never been more accurate than when trying to keep up with “the latest solutions.” Cisco Systems has recently announced the Adaptive Security Appliance 5500 (ASA 5500), which has the ability to replace the existing PIX firew all, the VPN concentrator , the AAA server, and, perhaps, the Intrusion Prevention System. T he ASA 5500 has the following abilities: Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 6 1 . Layer 2 transparent firewall allows implementation transparency with no address changes. It also pro- vides integration with existing complex routing, high-availability, and IP multicasting. 2. Services virtualization enables the logical partitioning of a single ASA 5500 into existing networks into virtual firewalls, each with its own unique policies and administration. It allows consolidation of multi- ple firewalls into one device. 3. Standard IEEE 802.1Q Virtual LAN (VLAN) trunking support. 4. OSPF routing support. 5. Support for Protocol Independent Multicast (PIM) for IP multicast 6. IPv6 support 7. QoS support for Low-Latency Queuing (LLQ) and traffic policing to support real time traffic 8. IP telephony support for IP phone deployments 9. Stateful active/standby for fail-over Intrusion detection/prevention systems operate at step two of the security implementation to detect and auto- matically stop intruders at the enterprise edge, as the first line of defense. IDS/IPS solutions are used to inspect packets traversing network links and may be deployed in network modules within the enterprise campus, as well as at the enterprise edge . The server farm module is another prime candidate for these solutions. IDS deployed as an application on a server is called Host IDS (HIDS). IDS/IPS also can ensure that the security devices in step 1 (secure) have been configured properly. There are three basic types of attacks: 1. Reconnaissance 2. Access 3. Denial of Service (DoS) Many times, a reconnaissance attack will precede an access or DOS attack. The Cisco IPS 4200 series is one system for intrusion detection/prevention. It would be part of the enterprise implementation in the Internet Connectivity/E-Commerce module of the network design. The cost of these systems will vary and must be weighed against the cost of an outage. A denial of service attack, for example, may cause the corporate servers to be down for a day or more. These are launched against companies like Yahoo and Goggle on a regular basis with a wave of publicity. For example, suppose the cost of an IDS/IPS system is $40,000, including $10,000 for training of k ey personnel. T he gross profit lost from a day of server outage is $75,000. T he ROI for the IDS system, based on this one outage , is 50 percent. A ROI exam- ple for an individual enterprise would reflect actual system cost and the cost of a server outage, but security falls into the category of "not being able to afford to not do it." Trained and competent network personnel are absolutely necessary to make security systems work. Not only to implement the system, but also to decide if it is needed, select which system to purchase , alter the network plan and design to include it, and optimize the network after implementing it. The manager now faces some Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 7 d ifficult and important choices related to network security optimization, which will be covered in more detail in the conclusion portion of this paper. Virtual Private Networks A Virtual Private Network (VPN) allows a "tunnel" to be constructed through a public network such as the Internet, for the purpose of transporting private data. The tunnel must be secured by public and/or private keys and a combination of a data integrity hash and encryption. A typical data authentication is either Secure Hash Algorithm (SHA) or Message Digest 5 (MD5). The encryption method can be Triple DES (3DES) or Advanced Encryption Standard (AES). The entire process of key exchange, data authentication, and data encryption is included in IP Security (IPSec). VPNs are being used for many purposes in the enterprise. 1. Remote Access VPNs, when used with PC, router, or VPN appliances, as the client in homes or small offices (usually with DSL or cable modem access to the local ISP) are rapidly replacing the traditional modem and Integrated Services Digital Network (ISDN) dial-up remote access solutions. 2. Site-to-site VPNs are being used to replace traditional WAN services such as frame relay and leased lines. The major drawback is the absence of a Service Level Agreement (SLA) from a provider to support QoS requirements. 3. Peer -to-peer or “Turnkey” VPNs are being offered by providers such as SBC, Verizon, Qwest, and BellSouth to replace traditional WAN services and offer a SLA to support QoS. The technology is Multi- Protocol Label Switching (MPLS) over BGP and is defined by Request For Comments (RFCs). The VPN endpoints can be any of the following: 1. At the client end: a. PC b. VPN appliance (Cisco VPN 3002) c. Router 2. At the corporate end: a. VPN concentrator, such as Cisco 30xx b. Router c. Firewall d. Cisco ASA 5500 (mentioned earlier) One of the reasons for the growing popularity of VPNs is low cost and implementation flexibility . It is true that VPN terminations are either inexpensive or already built into existing equipment such as routers, VPN concen- trators, and security systems. In Europe, Multi-Protocol Label Switching- (MPLS) based VPNs are usually pre- ferred for the enterprise WAN as opposed to traditional WAN services. Of course, in Europe, these types of VPNs are universally available. The Europeans do not have to deal with branch offices in Montana and New Mexico where advanced technologies may be scarce. Moreover, there are several issues related to network optimization: 1. Cost for additional bandwidth to the ISP at both remote and headquarters locations 2. Cost of developing network personnel skills to negotiate SLAs and pricing contracts or consultants Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 8 3 . Costs related to designing, implementing and maintaining VPN networks 4. Selection of terminating equipment 5. Use of VPNs in the IP telephony environment to support QoS IP Telephony and QoS For years, it has been said that voice and data are converged on the same network. The first time was when voice analog signals from a telephone and analog signals from a modem were sent over the same wire using frequency division multiplexing (Voila!). The second time was when analog signals from telephones and analog signals from modems were both digitized with a common method and sent over the same wire using Time Division Multiplexing (Double Voila!). The third time was when the modem was eliminated and digital tele- phones were introduced so everything could be digital end-to-end (ISDN was developed at about the same time). The digital voice was also compressed. (Another Voila!) During all these developments, data was in packets and voice was in bits. Today, voice cannot only be com- pressed, but also constructed into packets, frames, or cells (IP, frame relay, or ATM). The idea was to move aw ay from circuit switching (Time Division Multiplexing [TDM]) and to packet switching to converge the net- work. (All still over one wire, by the way.) It was a terrific idea because existing data switching and routing equipment can be utilized to move the packets, frames, or cells, and the enterprise network infrastructure used to support voice traffic can gradually be removed. Voice over X (FR, IP, ATM) can be implemented on the gigabit Ethernet campus, the enterprise WAN, and over the Internet and the Public Switched Telephone Network (PSTN). The technology was integrated into Ethernet switches, WAN switches , routers, and access servers. The driving force of the first phase of IP telephony (VoX) was cost of transport. The next step in the evolution of the solution is IP telephony. 1. The common factor for IP telephony convergence is IP. Voice over frame relay and voice over ATM are not current solutions. 2. IP telephones are now heavily implemented. The cost of IP telephones is low (on par with digital hand sets $600 - $900). 3. Costs of legacy PBX equipment are high – traditional phone switches and the maintenance contracts are very expensive. 5. The legacy PBX is replaced with a Call Manager (or cluster) that is a PC platform. 6. T he IP telephony solution must include voice messaging and third-party applications . 7. Consolidation of support staff into IT could reduce costs. 8. Additional applications for the IP telephone are being developed daily. 9. T he entire enterprise network infrastructure must be redesigned to support IP telephony and QoS . Voice and video traffic are real-time protocols. IP was not designed to transport them with the proper controls on latency, packet jitter, and packet loss. The solution to this problem is to provide additional features in the Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 9 n etwork equipment to overcome this limitation and provide the proper controls. This process is called the implementation of QoS. The first step in QoS is to identify a QoS policy, which involves ranking all of the packet flows traversing the enterprise networks related to their latency, jitter, and packet loss parameters, as well as their importance to the enterprise. No solution can be implemented without this policy. A typical ranking would be: 1. Voice traffic 2. Voice signaling and video 3. Mission-critical data 4. Important data 5. Default data 6. Scavenger data (less than best effort) With the policy in place, congestion avoidance, policing, traffic shaping, and congestion management tech- niques may be implemented. However, the methodology to implement a consistent end-to-end QoS policy may vary for a Layer 2 switch, a multi-layer switch, and a router. To optimize the network, technicians and network professionals have to be able to properly configure an end-to-end QoS policy using LLQ on routers, Weighted Round Robin (WRR) on multiplayer switch routed ports , and IEEE 802.1p on Layer 2 switches accurately and with effective cost control. Once again, trained, experienced, and extremely creative network personnel will be required to evaluate, select, implement, and optimize an IP telephony solution and the QoS to support it. Wireless Networking When wireless networking is mentioned, most networkers think of cellular telephones or other hand-held devices, microwave or satellite. Wireless solutions use radio frequencies, usually in the unregulated FCC fre- quencies (which means anyone can use them). Wireless is a viable enterprise networking solution. Wireless LAN standards are in place from the IEEE (802.11), wireless bridges provide inter-building connections, and an entire set of WiFi specifications are evolving under the 802.11 standard. Security has improved with the advent of IEEE 802.1x and a new encryption key to replace Wired Equivalent Privacy (WEP). The advantages of not requiring copper wire for a LAN environment and the mobility possible for users are obvious. Cisco Systems offers a group of products (Aironet) for Wireless LAN and has just acquired another wireless company , Airspace. This is a highly competitive marketplace with many start-up companies offering products and solutions. An early study commissioned by Cisco revealed that using Wireless LANs to improve connectivity to the corpo- rate network saved workers an average of 70 minutes per day. . Once again, the importance of technically qualified personnel to implement this solution is critical, not only to configure wireless solutions and appropriate security measures, but also to decide where and how much wire- less technology is required in an enterprise network. Copyright ©2006 Global Knowledge T raining LLC. All rights reserved. Page 10 [...]... entertainment and simulation training 6 Internet gaming for interactive entertainment and simulation training 7 Data collection for polling information and multicast auction There are many more, such as radio and TV broadcasts to the desktop and a number of financial applications A simple cost-benefit analysis of IP multicasting versus normal IP unicasting for a data warehousing provides a concrete example of the... quickly Attributes of a Training Provider It is relevant that the idea of training has appeared many times in the description of professionals capable of achieving and managing network optimization Training and certification, along with on- the-job experience should be part of any network management and optimization strategy For maximum results, a training provider should become a strategic partner in reaching... multicasting At headquarters of a typical company like Toys ‘R Us, there is a warehouse full of inventory Also, there are stores all across the nation that have inventory The inventory in the remote locations needs to be known at headquarters on a daily basis and vice versa Also, the size of the database to update the remote locations is 250 megabytes (actual size of Toys ‘R Us data base would be much larger),... understand key concepts and how to apply them to your specific work situation Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On- site sessions, to meet your IT and management training needs About the Author Raymond B Dooley is CEO of International Communications Management, Inc (ICM), a training company headquartered in Redmond, WA In the past, he has led a team that... certifications are regarded in the networking field as fair, objective, and valuable in determining the skills of an employee or contractor and their pay rate However, there are additional issues from the perspective of the network manager In many cases, training for certification is given to employees as a reward for long service, a job well done, or simply passed out in a round-robin fashion In many cases,... few examples are: 1 Distance learning for education institutions and companies needing training 2 Tibco Software for stock traders and for specific categories of stock ticker information 3 Data warehousing for management of inventory to and from remote locations to headquarters 4 Corporate communications for video and/or audio conferencing 5 Streaming audio and video on demand for entertainment and simulation... developed, and implemented a network- related training curriculum for United Airlines, Ameritech, and General Electric More recently, he has led a team of instructors focused primarily on Cisco-certified training His academic and technical credentials are BS, MBA, CCNP, CCDP, and CCSI Mr Dooley was assisted by David Stahl, Debby Phelps, BK Jones, William Treneer, Jason Wyatte, and Carol Kavalla, all of whom are... security is not an acceptable approach Markets and economies change so quickly that even government jobs are no longer secure Copyright ©2006 Global Knowledge Training LLC All rights reserved Page 14 The results of a recent survey revealed that the average salary of a CCNA is $75,000 per year and the average salary of a CCNP is $88,000 per year A CCSP is worth $96,000 per year If the network manager is successful... by a representative of a company that was paying about $10,000 per month for consultants, that the network manager had identified another method to achieve a high ROI by effectively utilizing training The idea was to provide additional training to employees, eliminate the consultants, and eliminate $10,000 per month in expense without adding any fixed cost In this example, the cost of training was... benefit of the company paying for the training necessary to achieve the certification and then leaves the company for a better paying job The role of the network manager is to include certification training as part of a career plan for the employee that will insure that the employee sees a reason to stay with the enterprise This requires thought, planning, and creativity on the part of the manager Promising . functions (SONA). Modern solutions are based on the idea that hardware, software, and network applications are “built-in” to network technologies and can. For years, it has been said that voice and data are converged on the same network. The first time was when voice analog signals from a telephone and analog

Ngày đăng: 21/12/2013, 04:18

TỪ KHÓA LIÊN QUAN