Network Essentials

PacketTrap Networks
Network Essentials
Planning & Managing the Future of Your Network
July, 2008
3 IT’S NOT ABOUT TODAY, IT’S ABOUT

TOMORROW: A GLIMPSE INTO THE
FUTURE
5 NETWORK DNA: THE BUIDING

BLOCKS
7 NETWORK HARDWARE
12 MULTI-LOCATION NETWORKING
14 IT’S IN THE AIR: WIRELESS

NETWORKING
16 LET THE GOOD GUYS IN AND KEEP

THE BAD GUYS OUT: NETWORK
SECURITY
PacketTrap Networks
18 TYING “IT” ALL TOGETHER:
NETWORK MANAGEMEMENT 118 2nd Street, 6th FL
SOFTWARE
San Francisco, CA 94105
1-866-My-pt360 (1-866-697-8360)
Network Essentials : Planning & Managing the Future of Your Network PacketTrap
Planning & Managing the Future of Your Network Networks
LEGAL NOTICE AND ACKNOWLEDGEMENTS

Copyright © 2008 PACKETTRAP NETWORKS
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or
any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A
copy of the license is included in the section entitled "GNU Free Documentation License".
The product and company names used in this whitepaper are for identification purposes only. Apache is a trademark of The Apache Software
Foundation. Lego is a registered trademark of the Lego Corporation. Microsoft and Microsoft Windows are registered trademarks of Microsoft
Corporation. OCEG is a registered trademark of the Open Compliance and Ethics Group, a non-profit organization. Oracle is a registered
trademark of Oracle Corporation. Cisco is a registered trademark of Cisco Corporation. Juniper is a registered trademark of Juniper Networks
Corporation. SonicWALL is a registered trademark of SonicWALL, Inc. Fortinet is a registered trademark of Fortinet, Inc. Packeteer and
BlueCoat are registered trademarks of BlueCoat Systems, Inc. Acknowledgements to Stanford University’s Department of Computer Science,
Computer Discount Warehouse, & Network Consulting Inc for their time, content, and /or opinions.
Corporate Headquarters
118 2nd Street, 6TH FL
1-866-My-pt360 (1-866-697-8360)
www.PacketTrap.com
P a g e |2
© Copyright 2008, PacketTrap Networks

OVERVIEW
This whitepaper is intended for network engineers, sys admins, and IT professionals generally who are responsible for corporate and / or
government networks. The purpose of this paper is to provide best practices in network management including network infrastructure design
and network maintenance. Specifically it helps IT professionals design, implement, and manage networking solutions such as Voice over IP
(VoIP), Power over Ethernet (PoE), Wireless (Wi-Fi) virtual private networking (VPN), and general security. More than just a whitepaper on
planning your network’s expansion, this paper also serves as a reference guide that should help you along the way. If you are new to network
engineering, this guide will provide you a foundation for success, and if you’re an “old hat”, it can serve as a reference to come back to.
CHAPTER 1
IT’S NOT ABOUT TODAY, IT’S ABOUT TOMORROW
Network Design Fundamentals
Building a network is easy. Building a network that efficiently and productively provides a foundation for fault tolerance, security, and Quality of
Service (QoS) is hard. Building a network that supports your organization with these core technologies as it grows is even harder. Of course,
your network will grow by number of users, but as importantly your network must be able to handle new technologies, applications, protocols,
and the ever growing coverage of remote workers. Building a scalable network that is efficient and flexible, but also provides a foundation for
growth, requires design.
Analyzing Operational Requirements

Every network is a set of “Lego” blocks, customized and shaped to the design of the network engineer. A good deal of network design involves
trying to predict the future of an IT organization, as well as taking into account associated software requirements, network equipment vendors
and service providers. There is no perfect abstract network design, but a network can always be more efficient, consume less power, and
provide more productive data back to the organization. The best network design for your company will differ from other companies.
Always think to the future. What are the initiatives that your organization is planning over the next two years? Think about the
impact of those initiatives against the readiness of your network. Whether it’s a business or technology initiative, good network
design requires that you think about the future today. For example:
Future Network Consideration Implementation Thought Requirements

VoIP Implementation Bandwidth considerations; network management system to monitor
jitter and latency issues
Connectivity to external workers / vendors / partners / or acquired Service providers MPLS or VPN that will require consideration of IP
organizations. addresses, Unified Threat Management (UTM ) / Firewall / and
conflicting network policies.
Sales force to grow by 20% per year for next four years A five year growth plan is required for network infrastructure and
management including the most scalable switches, routers, hubs,
network management system, power requirements etc.
Servers placed in external datacenter and managed by external staff Network Management Systems with connectivity to external data
centers, storage requirements, and security overlays
SaaS (i.e., Salesforce.com) Implementation Security; Network Access Control (NAC); VPN considerations
Virtualization Implementation Memory and storage requirements; test bed and staging area for
production or mission critical systems under consideration for
virtualization. Network management system to alert on quality of and
productivity of virtualized servers.
P a g e |3

Governance, Risk and Compliance Responsibilities
Regulatory mandates, information and process risks, and corporate procedures and policies will also influence the future design and
administration of your network. You may be an educational institutional, a healthcare company, a government agency, or a public company. All
organizations have voluntary and mandated obligations and must comply with specific requirements. Further, regardless of the type of
company you are, you will also have to comply with new and updated information security protocols such as IPv6.
Network protocols configured for the range of governance, risk and compliance management requirements will help detect and prevent
misconduct related to policy and compliance-based requirements. Properly configured networks help to identify and address weaknesses that
have yet to be exploited; analyze trends that may indicate an increase (or decrease) in the likelihood that an adverse event will materialize; and
monitor underlying user activities that drive risk strategies. A common mistake is relying on too few sources of information to understand
anything beyond past breaches and attempts to violate security protocols. To correct this, for each related risk and requirement, network
managers should apply a full suite of management and user controls and monitoring techniques.
Control Activities should be designed in such a way that violations trigger automated notifications based on threshold conditions and business
rules. Management will most likely use human judgment to determine if these violations represent actual issues of interest, but the trigger is an
important first step. These triggers can be embedded in all types of controls: transaction controls, access controls, master data controls,
configuration controls, and other network operational controls. Questions to ask when developing network controls include: How will we know if
this control is violated? Are there any information sources that might be useful to indicate future violations? Who should be informed if the
control fails? What will the follow-up process entail?
Monitoring Activities are intended to determine if the internal control and compliance regime is designed and operating effectively. In some
automated systems, control activities and monitoring activities are essentially blended together so that control performance actually is the
control test. Any deficiency—minor, significant, or material—should be logged in a system so that trends can be identified.
Some specific external compliance mandates involving network resources as a source of related failures, violations, reports and detective and
preventive controls include:
• The US Sarbanes-Oxley Act, which requires public companies to provide stronger transparency in financial and accounting systems, thus
placing pressure on IT departments to ensure accurate real time transaction reporting to management.
• If your company processes credit cards, you may be subject to the Payment Card Industry Data Security Standard PCI-DSS. PCI-DSS was
developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud. A
company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card
payments as well as being audited and/or fine. For the IT department this means that as you expand your network there are configurations
and considerations that will drive your design, purchasing and information security management decisions.
• The Health Insurance Portability and Accountability Act (HIPAA) sets guidelines for the privacy of patient’s electronic records, mostly notable
in the medical and healthcare industries. HIPAA provides specific and widely-applicable personal information privacy standards and
procedures for most contexts of customer information retrieval, management, storage and third-party transfer. The Department of Defense
mandated a transition to IPv6 (Internet Protocol version 6) by the summer of 2008. IPv6 succeeds IPv4, the IP in widespread use today. If
you are a private commercial organization, IPv6 will probably not affect you until 2010, but the new protocol will have been widely adopted in
many organizations.
It’s important to stress the absolute necessity for internal governance over information management, including processes for quality assurance,
testing, auditing, monitoring, and risk assessment, which offer a proven way to ensure a reliable and effective network.
Violation and potential violation of regulations and legal requirements continually surface in the IT department, so it’s best to get
out and stay out in front of them. If you are interested in further reading on governance, risk and compliance, the non profit Open
Compliance and Ethics Group (www.oceg.org) is a leading resource. You can read more at www.OCEG.org.
P a g e |4

CHAPTER 2
NETWORK DNA: THE BUILDING BLOCKS
Ethernet is a family of frame-based computer networking technologies for local area networks (LANs). The name comes from the physical
concept of the ether. It defines a number of wiring and signaling standards for the physical layer, through means of network access at the
Media Access Control (MAC)/Data Link Layer, and a common addressing format.
Ethernet is standardized as IEEE 802.3. The combination of the twisted pair versions of Ethernet for connecting end systems to the network,
along with the fiber optic versions for site backbones, is the most widespread wired LAN technology. Ethernet comes in many speeds:
 10Mbps
 100Mbp
 1000Mbps
 1Gbps (a.k.a Gigabit Ethernet)
 10Gbps (a.k.a Gigabit Ethernet)
Most Ethernet standards run over copper cabling or fiber cabling. Other terms commonly used to describe Ethernet include 10/100, which
indicates support of both 10Mbps and 100Mbps, and triple speed, which refers to support of 10/100/1000Mbps. Most servers, notebooks and
desktop PCs today come with triple-speed network interface cards (NICs).
Most switches have GigE or 10GbE uplink ports for connecting to the data center. 10GbE is currently used almost exclusively for connectivity
between network devices, but an increase in 10GbE servers is anticipated. GigE is moving to the end-point from the data center at a slow and
steady rate. GigE is already becoming a standard at the data center level.
Power over Ethernet (PoE)

Power over Ethernet or PoE technology describes a system to transmit electrical power, along with data, to remote devices over standard
twisted-pair cable in an Ethernet network. This technology is useful for powering IP telephones, wireless LAN access points, network switches
and routers, and applications where it would be inconvenient, expensive or infeasible to supply power separately. The lure of PoE is that it
works with an unmodified Ethernet cabling infrastructure, such as Cat5 – the cable that is probably running through the walls of your building.
Appliances specifically are a primary driver of PoE
implementations on corporate networks. See Figure 1 for
examples. Applications for PoE include video
conferencing, kiosks and touch screen systems, Wireless
APs with high power requirements (802.11n and WiMAX)
PoE is enabled using either an end-span or mid-span

approach. With an end span approach, the PoE is
embedded into the network switches. With a mid-span
approach, a PoE-enabled patch panel (or individual power
injector) is used to add power to cables after leaving the
network switch.
Figure 1: Examples of PoE Appliances

Devices
A Word About Physical Cabling
Almost all buildings these days are lined with Category 5 cable, commonly known as Cat 5 or "Cable and Telephone". Category5 is a twisted
pair cable type designed for high signal integrity. This type of cable is often used for computer networks such as Ethernet, basic voice services,
token ring, and ATM (at up to 155 Mbit/s, over short distances). Cat5e cabling is will suffice for today's 10/100/1000Mbps Ethernet standards.
For GigE support it’s important to purchase switches with Time Domain Reflectometer (TDR) capability. Although Cat6 is available, there has
been little traction in corporate networks. For fiber, most installations are single-mode fiber (SMF) and it is the generally accepted standard. An
alternative is multimode fiber (MMF), however support for 10GbE is relegated to short routes.
P a g e |5

CHAPTER 3
NETWORK HARDWARE
Your network infrastructure is comprised mainly of switches and routers. These core technologies are the cornerstone of how data traverses
your network. While not the most sophisticated devices, switches and routers are many times not only the building blocks of your network, but
also the root cause of your problems. For that reason, strong network management software that supports multiple vendors is essential to
ensure you can monitor and manage data as it connects users and productivity.
Switches
A network switch is a small hardware device that joins multiple computers together within one local area network (LAN). Technically, network
switches operate at layer two (Data Link Layer) of the OSI model.
Network switches appear nearly identical to network hubs, but a switch generally contains more "intelligence" (and a slightly higher price tag)
than a hub. Unlike hubs, network switches are capable of inspecting data packets as they are received, determining the source and destination
device of that packet, and forwarding it appropriately. By delivering each message only to the connected device it was intended for, a network
switch conserves network bandwidth and offers generally better performance than a hub.
As with hubs, Ethernet implementations of network switches are the most common. Mainstream Ethernet network switches support either 10
Mbps, 100 Mbps, or 10/100 Mbps Ethernet standards.
Different models of network switches support differing numbers of connected devices. Most corporate-grade network switches provide either 24
or 48 connections for Ethernet devices. Switches can be connected to each other. Such "daisy chaining" allows progressively larger number of
devices to join the same LAN. Some common switch functions include: VLANs (virtual local area networks) and 802.1q tagging / trunking, QoS,
PoE, Layer 3 IP Routing and, in some cases, firewall security
Routers
Routers connect two or more logical subnets, which do not necessarily map one-to-one to the physical interfaces of the router. It is an
appliance whose software and hardware are usually tailored to the tasks of routing and forwarding information. Routers generally contain a
specialized operating system (e.g. Cisco's IOS or Juniper Networks JUNOS and JUNOSe), RAM, NVRAM, flash memory, and one or more
processors.
A router is currently the basic component of a wide area network (WAN). A router's core function is to forward traffic at Layer 3 across the
widest variety of LAN and WAN interfaces, from dial-up modems to 10GbE. Common IP routing protocols include OSPF (open shortest path
first), EIGRP (enhanced interior gateway routing protocol), BGP (border gateway protocol) and IS-IS (intermediate system to intermediate
system).
Routers also provide voice circuit termination, NAT, firewall, policy routing, VPN, wireless connectivity, accounting, monitoring and
virtualization. Sometimes firewalls can be considered routers, such as products sold by Cisco, SonicWALL, Fortinet, and others.
Hubs vs. Switches vs. Routers

A hub is a small, simple, inexpensive device that joins multiple computers together. It usually serves to greater purpose than that. As
mentioned above, a network switch is a small hardware device that joins multiple computers / servers together within one local area network
(LAN).Unlike hubs, network switches are capable of inspecting data packets as they are received, determining the source and destination
device of that packet, and forwarding it appropriately. A router is a more sophisticated network device than either a switch or a hub. Like hubs
and switches, network routers are typically small, box-like pieces of equipment (appliances) that are connected to multiple devices. Each
features a number of "ports" on the front or back that provide the connection points for networked devices, a connection for electric power, and
a number of LED lights to display device status. While routers, hubs and switches all share similar physical appearance, routers differ
substantially in their inner workings.
Traditional routers are designed to join multiple area networks (LANs and WANs). On the Internet or on a large corporate network, for example,
routers serve as intermediate destinations for network traffic. These routers receive TCP/IP packets, look inside each packet to identify the
source and target IP addresses, and then forward these packets as needed to ensure the data reaches its final destination.
P a g e |6

Additionally, broadband routers contain several features beyond those of traditional routers. Broadband routers provide DHCP server and proxy
support, for example. Most of these routers also offer integrated firewalls. Finally, wired Ethernet broadband routers typically incorporate a built-
in Ethernet switch. These routers allow several hubs or switches to be connected to them as a means to expand the local network to
accommodate more Ethernet devices.
Quality of Service (QoS)

Quality of Service is the ability to provide different priority (see graphic below) to different applications, users, or data flows, or to guarantee a
certain level of performance to a data flow. For example, a required bit rate, delay, jitter, packet dropping probability and/or bit error rate may be
guaranteed. Qualities of Service guarantees are important if the network capacity is insufficient, especially for real-time streaming multimedia
applications.
A defined Quality of Service may be required for certain types of network traffic, for example:
 dedicated link emulation requires both guaranteed throughput and imposes limits on maximum delay and jitter
 A safety-critical application, such as remote surgery may require a guaranteed level of availability (this is also called hard QoS).
 A remote system administrator may want to prioritize variable, and usually small, amounts of SSH traffic to ensure a responsive session
even over a heavily-laden link.
 Streaming multimedia may require guaranteed throughput to ensure that a minimum level of quality is maintained.
 IPTV offered as a service from a service provider such as AT&T's U-verse
 IP telephony or Voice over IP (VOIP) may require strict limits on jitter and delay
 Video Teleconferencing (VTC) requires low jitter and latency

 Alarm signaling (e.g., Burglar alarm)
These types of service are called inelastic, meaning that they require a certain minimum level of bandwidth and a certain maximum latency to
function. By contrast, elastic applications can take advantage of however much or little bandwidth is available. Bulk file transfer applications
that rely on TCP are generally elastic.
Priority Traffic Type

0 Best Effort
1 Background
2 Standard (Spare)
3 Excellent Load (Business Critical)
4 Controlled Load (Streaming Multimedia)
5 Voice and Video
[Less than 100ms latency and jitter]
6 Layer 3 Network Control Reserved Traffic
[Less than 10ms latency and jitter]
7 Layer 2 Network Control Reserved Traffic
[Lowest latency and jitter]
NETWORK APPLIANCES
Network appliances are embedded system devices that provide a narrow range of functions, and generally use a dedicated hardware platform.
The Linux operating system is popular among many computer appliances
Web Accelerators
A web accelerator is a proxy server that reduces web site access times. They are appliances connected to a website’s front end that compress
data and shortcut inefficient HTTP redirection. Web accelerators may use several techniques to reduce website access times:
P a g e |7

 They may cache recently or frequently accessed documents so they may be sent to the client with less latency or at a faster transfer
rate than the remote server could.
 They may freshen objects in the cache ensuring that frequently accessed content is readily available for display.
 They may preemptively resolve hostnames present in a document (HTML or Javascript) in order to reduce latency.
 They may prefetch documents that are likely to be accessed in the near future.
 They may compress documents to a smaller size, for example by reducing the quality of images or by sending only what's changed
since the document was last requested.
 They may optimize the code from certain documents (such as HTML or Javascript).
 They may filter out ads and other undesirable objects so they are not sent to the client at all.
 They may maintain persistent TCP connections between the client and the proxy server.
WAN Accelerators
WAN Accelerators are appliances that are placed at two or mote remote sites and transparently intercept network traffic in an attempt to
optimize it. Specifically, these products make it easy for organizations to accelerate the applications that are most important to their users. The
goal of WAN Accelerators is to allow workers on the move to enjoy LAN-like access to files and applications whether they are working from
home, on the road, or even at customer sites.
Most WAN Accelerators optimize traffic in both directions, transparent to production applications, and require no reconfiguration to client and
server software.
WAN Accelerators usually include:
• Data streaming to optimize WAN traffic by removing redundant data and prioritizing traffic through advanced QoS mechanisms
• Transport streamlining to improve the behavior of TCP
• Application streamlining to reduce application protocol inefficiencies and enable disconnected operations
• Management streamlining to simplify the deployment, maintenance, and management of appliances.
Most WAN Accelerator vendors claim 5 to 100 times higher performance.
File sharing, printing, backup and replication reap the biggest performance gains with WAN acceleration. The gains are amplified as latency
increases. A cross-town T1 link with 5 ms latency will see much less benefit than a cross-country T1 with 40 ms of latency. Finally, it should be
noted that "chatty" and interactive apps such as SQL, Citrix and Telnet will see little or no improvement from WAN accelerators.
For the moment, encrypted traffic such as SSH (Secure Shell) and SSL/TLS cannot be easily compressed and generally sees only slight
improvement from WAN accelerators. However, Riverbed has recently introduced SSL/TLS acceleration. The mechanism requires that the
WAN accelerators get copies of the Web site's private keys and certificates. Though it remains unclear if this technique will stand up to audit
standards like those of the Payment Card Industry (PCI), other vendors are quickly following suit.
Because of performance variability, organizations considering WAN accelerators should follow three important steps.
1. Identify the key applications that need improvement and define a benchmarking process.
2. Research the optimization techniques of the potential vendors to see how their techniques will help your applications.
3. Trial the products of multiple vendors to verify performance gains
When weighing the value of WAN accelerators, three other points are worth noting:
1. WAN performance may have already been addressed in other ways, such as by using Citrix or deploying local file or e-mail servers.
2. Most WAN accelerators work by tunneling traffic, which may require substantial changes to the existing routing, security, monitoring and
QoS policies.
3. Operating systems such as Windows Vista and Longhorn include their own WAN acceleration techniques that may overlap or conflict with
the use of dedicated WAN accelerators.
P a g e |8

Content Networking Appliances

Content networking is a general term for network devices that integrate with applications in order to improve performance, availability, security
or manageability. Content filtering appliances block or allow data based on analysis of its content, rather than its source or other criteria. It is
most widely used on the internet to filter email and web access. The above mentioned Email Spam Appliances fall into this category.
Content Filtering is many times broken into outbound and inbound filtering. Outbound content filtering deals with managing the content as it
leaves the corporate network. Many organizations under HIPPA, OSHA, and other regulatory mandates must inspect content before it leaves
the network. Inbound content filtering works in the opposite direction and many solutions allow the user to use the product for both. Both
SonicWALL and Barracuda Networks provide content filtering solutions that help companies meet government regulations.
Email Spam Appliances

Anti-spam appliances are hardware devices integrated with on-board software that implement anti-spam techniques (e-mail) and/or anti-spam
for instant messaging (also called "spim") and are deployed at the gateway or in front of the mail server. They are normally driven by an
operating system optimized for spam filtering. They are generally used in larger networks such as companies and corporations, ISPs,
universities, etc. The most well known spam vendors include Barracuda Networks and IronPort Systems (now owned by Cisco Systems).
Reasons anti-spam appliances might be selected instead of software could include:
 You prefer hardware over software
 Ease of installation
 Operating system requirements (e.g. company policy requires Linux, but software is not available under this OS)
 Independence of existing hardware
Load Balancing Appliances

Load balancing is a technique to spread work between two or more computers, network links, CPUs, hard drives, or other resources, in order to
get optimal resource utilization, throughput, or response time. Using multiple components with load balancing, instead of a single component,
may increase reliability through redundancy. The balancing service is usually provided by a dedicated program or hardware device (such as a
multilayer switch). It is commonly used to mediate internal communications in computer clusters, especially high-availability clusters.
Server Load Balancing (SLB) takes incoming network connections and distributes them across multiple servers (a server farm). Transparent to
both user and server, SLB allows a service to scale beyond a single server, gracefully handle server outages and allow servers to be taken
offline for maintenance in a non-disruptive manner.
For example, a user attempts to visit http://www.PacketTrap.com. Traffic for this URL will be directed at the SLB, which forwards the traffic in
turn to an available server. Should the server to which traffic is directed fail, SLB ensures that the user would quickly be redirected to one of the
remaining servers.
SLB sounds easy, but implementation can be a burden if you do not have a deep understanding of how your applications run on the
network. In fact, sometimes Load Balancing can turn into a problem instead of a productivity enhancer. Smart organizations that
lack expertise in this area bring in IT consultants for strategic direction and training.
Load Balancers can come with a variety of special features:

• Asymmetric load: A ratio can be manually assigned to cause some backend servers to get a greater share of the workload than others. This is
sometimes used as a crude way to account for some servers being faster than others.
• Priority activation: When the number of available servers drops below a certain number, or load gets too high, standby servers can be brought
online
• SSL Offload and Acceleration: SSL applications can be a heavy burden on the resources of a Web Server, especially on the CPU and the end
users may see a slow response (or at the very least the servers are spending a lot of cycles doing things they weren't designed to do). To
resolve these kinds of issues, a Load Balancer capable of handling SSL Offloading in specialized hardware may be used. When Load
Balancers are taking the SSL connections, the burden on the Web Servers is reduced and performance will not degrade for the end users.
P a g e |9

• Distributed Denial of Service (DDoS) attack protection: Load balancers can provide features such as SYN cookies and delayed-binding (the
back-end servers don't see the client until it finishes its TCP handshake) to mitigate SYN flood attacks and generally offload work from the
servers to a more efficient platform.
• HTTP compression: reduces amount of data to be transferred for HTTP objects by utilizing zip compression available in all modern web
browsers
• TCP offload: Different vendors use different terms for this, but the idea is that normally each HTTP request from each client is a different TCP
connection. This feature utilizes HTTP/1.1 to consolidate multiple HTTP requests from multiple clients into a single TCP socket to the back-end
servers.
• TCP buffering: The load balancer can buffer responses from the server and spoon-feed the data out to slow clients, allowing the server to
move on to other tasks.
• HTTP caching: The load balancer can store static content so that some requests can be handled without contacting the web servers.
• Content Filtering: Some load balancers can arbitrarily modify traffic on the way through.
• HTTP security: Some load balancers can hide HTTP error pages, remove server identification headers from HTTP responses, and encrypt
cookies so end users can't manipulate them.
SSL Accelerator Appliances

SSL acceleration is a method of offloading the processor-intensive public key encryption algorithms involved in SSL transactions to a hardware
accelerator. Typically, this is a separate card that plugs into a PCI slot in a computer that contains one or more co-processors able to handle
much of the SSL processing.
An SSL accelerator comes either as a standalone appliance or SSL Vendors:
integrated into an SLB or Web accelerator product. It works to encrypt Array Networks IBM
and decrypt SSL/TLS data and to offload the CPU intensive SSL
Cisco Systems Juniper Networks
negotiation that occurs upon initial setup of a connection. Where a
regular Web server may handle a few hundred concurrent SSL Citrix Systems Nortel
sessions, an SSL accelerator uses specialized hardware to handle Coyote Point Systems Radware
many thousands of them.
F5 Networks SonicWALL
There are two main uses of SSL accelerators. With SSL offload, the
Foundry Networks Sun Microsystems
SSL accelerator encrypts traffic to the client, but not to the server.
This use allows the server the full CPU benefits of not having to deal with any encryption. Public certificates are loaded only on the SSL
accelerator.
For security of the decrypted data, the server and SSL accelerator should be located in the same secure facility with as few network hops
between the two as possible.
With SSL end-to-end, the SSL accelerator encrypts traffic all the way from the client to the server, but it is briefly decrypted and re-encrypted
within the accelerator so that an SLB or other content networking product can inspect the content — to make a load balancing decision or to
enforce an application firewall rule, for instance.
Public certificates are loaded only on the SSL accelerator, but the servers still additionally need to have public or self-signed certificates. SSL
end-to-end is used in environments where regulations or best practices mandate that decrypted traffic never be sent across a network.
Application Offload
Application offload appliances fill a niche, offloading the inter-server message processing associated with Service-Oriented Architecture (SOA).
SOA describes the interconnected services commonly found in business-to-business and back-end application server environments.
For instance, a user's Web click to search for an airline fare on a Web site may fire off dozens or hundreds of back-end messages behind the
scenes. XML messages are the most common, but MQ, JMS and other protocols still have a significant foothold. A nearly human-readable
protocol, XML makes for easy development but inefficient processing. As a result, appliances have emerged specifically to offload XML
validation, transformation, compression, encryption/decryption and forwarding.
Though not actually a building block of the network, application offload appliances do overlap with traditional areas such as content networking,
application firewalls, load balancing and SSL offload. Consequently, many vendors' product lines are in the process of converging.
P a g e | 10

CHAPTER 4
MULTI-LOCATION NETWORKING
WIDE AREA NETWORKS

Wide Area Networks (WAN) are computer networks that cover a broad area (i.e., any network whose communications links cross metropolitan,
regional, or national boundaries). Or, less formally, a network that uses routers and public communications links. Contrast with personal area
networks (PANs), local area networks (LANs), campus area networks (CANs), or metropolitan area networks (MANs) which are usually limited
to a room, building, campus or specific metropolitan area respectively. The largest and most well-known example of a WAN is the Internet.
In short, WANs are used to connect LANs and other types of networks together, so that users and computers in one location can communicate
with users and computers in other locations. Many WANs are built for one particular organization and are private.
Ethernet WAN and MAN Services

Ethernet services go by many names such as Gigaman, Optiman, OPT-E-MAN, optical Ethernet, switched Ethernet services, resilient packet
ring (RPR), E-VPLS and provider backbone transport (PBT). Some services provide only point-to-point connectivity, while others provide
multisite connectivity. They all have in common the ability to connect locations using Ethernet at a much lower cost per megabit than traditional
T1 and T3 links and without the requirement for a router.
In evaluating Ethernet services, a few questions deserve consideration:
• Is the connectivity shared (for example, an Ethernet switch) or dedicated, such as traditional TDM (time division multiplexing)? Shared
services are considerably cheaper, but do not offer the comfort of dedicated bandwidth guarantees.
• Will the service provider honor client QoS? If so, to what degree does it do so?
• Will the service's geographic reach match your organization’s needs? Typically, the narrower the geographic range the more service options
are available.
• Will the service support multiple VLANs (802.1q)? Some older equipment requires that customer VLAN numbering be coordinated with the
provider.
• Will the service's redundancy and fault tolerance match expectations? Many Ethernet services have no last-mile fiber or hardware diversity.
• Will the extra bandwidth of an Ethernet MAN or WAN be sufficient enough for an organization's long-term mobility goals (for example,
keeping per-user bandwidth consumption as practicably low as possible)?
Point-to-point Leased Lines

A leased line connects exactly two locations, typically with a router at each side. Leased lines connect an organization's branch locations to
each other and to the central hub. They also typically connect an organization to the Internet. All private WAN services discussed later in this
guide (such as MPLS, frame relay and ATM) begin by first connecting the customer locations to the provider with leased lines.
The value proposition of a symmetric digital subscriber line (SDSL) and cable modem WAN links can often be offset by increased latency that
impairs the effective throughput. It's also worth noting that traditional TDM services such as DS1 and DS3 are tariffed by states. Telcos,
working with public service commissions, have set prices that are generally uniform and nonnegotiable. In contrast, Ethernet, SDSL and cable
modem services are subject to competitive price negotiations.
Some organizations prefer self-managed leased lines over a provider WAN (such as ATM, frame relay or MPLS), because leased lines usually
have guaranteed bandwidth, while provider WANs may charge different fees based on average usage, maximum (burst) usage or the QoS
settings of client traffic.
Also, leased lines tend to be more secure, more reliable and have lower latencies since they take direct paths between the endpoints. Compare
this to provider WANs that backhaul all traffic to a central point often hundreds of miles from the endpoints.
However, provider WANs do have some very significant advantages:
• With a provider WAN, each branch location needs only a single router WAN interface to the service provider in order to communicate with all
other branch locations. With leased lines, the hub location needs an expensive router interface for each branch office.
• A provider WAN permits branch locations to be meshed, meaning branches can communicate directly with each other without traversing a
hub location.
P a g e | 11

• Provider WANs have a single support contact for WAN moves, changes or outages, whereas leased lines may involve many vendors and
different avenues of support.
• Provider WAN pricing is often negotiable, especially for a network composed of a large number of branch locations. Many leased line
services have inflexible pricing due to tariffs.
• Provider WANs may have value-add features such as backup paths, remote access, Internet access and VoIP services.
MPLS VPNs
Multi Protocol Label Switching (MPLS) is a data-carrying mechanism that belongs to the family of packet-switched networks. MPLS operates at
an OSI Model layer that is generally considered to lie between traditional definitions of Layer 2 (Data Link Layer) and Layer 3 (Network Layer),
and thus is often referred to as a "Layer 2.5" protocol. It was designed to provide a unified data-carrying service for both circuit-based clients
and packet-switching clients which provide a datagram service model. It can be used to carry many different kinds of traffic, including IP
packets, as well as native ATM, SONET, and Ethernet frames.
A number of different technologies were previously deployed with essentially identical goals, such as frame relay and ATM. MPLS is now
replacing these technologies in the marketplace, mostly because it is better aligned with current and future technology needs. Service providers
embrace it because it makes operating, troubleshooting and connecting new branch locations much easier than with other types of WANs,
resulting in lower pricing. Customers like it because it provides full-mesh connectivity — important for VoIP and video conferencing — where
branch locations can communicate directly with each other without a central hub.
MPLS does have a few drawbacks:
• MPLS just drops packets and does not notify, unlike Frame Relay and ATM
• MPLS only supports IPv4 unicast routing
• MPLS has poor support for VoIP on fractional T1 links of 768Kbps or less
Frame Relay and ATM

Frame relay is a data link network protocol designed to transfer data on Wide Area Networks (WANs). Frame relay works over fiber optic or
ISDN lines. The protocol offers low latency and to reduce overhead, does not perform any error correction, which is instead handled by other
components of the network.
Frame relay has traditionally provided a cost-effective way for telecommunications companies to transmit data over long distances. With the
advent of MPLS, VPN and dedicated broadband services such as cable modem and DSL, the end may loom for the frame relay protocol and
encapsulation. Unlike MPLS, neither ATM nor frame relay works over non-serial links such as Ethernet. Frame relay has excellent support for
fragmentation and interleave on slow-speed WAN circuits. With most service providers, ATM and frame relay are fully interoperable.
If you are designing a network for the future, it’s likely that Frame Relay considerations will become less and less, however understanding the
implications across WAN or T3 links between disparate network locations is important.
P a g e | 12

CHAPTER 5
IT’S IN THE AIR:
WIRELESS NETWORKING
Wireless is rapidly gaining in popularity in business networking. Wireless technology continues to improve, and the cost of wireless products
continues to decrease. Popular wireless local area networking (WLAN) products conform to the 802.11 "Wi-Fi" standards. Many businesses
today are moving towards Wireless LANs (WLAN). A WLAN typically extends an existing wired local area network. WLANs are built by
attaching a device called the access point (AP) to the edge of the wired network. Clients communicate with the AP using a wireless network
adapter similar in function to a traditional Ethernet adapter. Beyond laptops, wireless can connect near-line-of-site buildings and be used for
inventory tracking.
Wireless APs
A wireless access point (WAP or AP) is a device that allows wireless communication devices to connect to a wireless network. The WAP
usually connects to a wired network, and can relay data between the wireless devices (such as computers or printers) and wired devices on the
network.
A wireless access point (AP) can be used to join wireless devices to a wired network, or to extend the range of a wireless network. They don't
provide the DNS, DHCP, firewall or other functions commonly found in wireless routers. They simply take a wired or wireless network input and
relay it to the wireless devices within its broadcast range.
Protocols that share an RF band will coexist only with a significant performance penalty. For example, a single wireless client running 802.11b
will significantly slow the performance of all 802.11g clients attached to the same AP.
Some organizations attempt to limit RF band use by user type. For example, 802.11b/g in the 2.4GHz band could be used for dense "mileage-
may-vary" notebook wireless connectivity, while 802.11a in the 5.0GHz band could be reserved for critical connectivity such as VoIP phones
and tablet PCs.
Limitations
One IEEE 802.11 WAP can typically communicate with 30 client systems located within a radius of 100 m. However, the actual range of
communication can vary significantly, depending on such variables as indoor or outdoor placement, height above ground, nearby obstructions,
other electronic devices that might actively interfere with the signal by
broadcasting on the same frequency, type of antenna, the current Top AP Vendors:
weather, operating radio frequency, and the power output of devices.
 Cisco
Network designers can extend the range of WAPs through the use of
repeaters and reflectors, which can bounce or amplify radio signals that
 3Com
ordinarily would go un-received. In experimental conditions, wireless  Aruba
networking has operated over distances of several kilometers.  Nortel
Most jurisdictions have only a limited number of frequencies legally
 Juniper
available for use by wireless networks. Usually, adjacent WAPs will use  SonicWALL
different frequencies to communicate with their clients in order to avoid  Meru
interference between the two nearby systems. But wireless devices can
"listen" for data traffic on other frequencies, and can rapidly switch from one frequency to another to achieve better reception on a different
WAP. However, the limited number of frequencies becomes problematic in crowded downtown areas with tall buildings housing multiple WAPs,
when overlap causes interference.
Wireless networking lags behind wired networking in terms of increasing bandwidth and throughput. While (as of 2004) typical wireless devices
for the consumer market can reach speeds of 11 Mbit/s (megabits per second) (IEEE 802.11b) or 54 Mbit/s (IEEE 802.11a, IEEE 802.11g),
wired hardware of similar cost reaches 1000 Mbit/s (Gigabit Ethernet). One impediment to increasing the speed of wireless communications
comes from Wi-Fi's use of a shared communications medium, so a WAP is only able to use somewhat less than half the actual over-the-air rate
for data throughput. Thus a typical 54 MBit/s wireless connection actually carries TCP/IP data at 20 to 25 Mbit/s. Users of legacy wired
networks expect the faster speeds, and people using wireless connections keenly want to see the wireless networks catch up.
P a g e | 13

The latest standard for wireless networking, IEEE 802.11n, is currently in draft form, and while some industry experts believe that it could be
ratified before the end of this year, others expect it will be well into 2009 before the Institute of Electrical and Electronic Engineers (IEEE)
manages to complete the process.
This new standard operates at speeds up to 540 Mbit/s and at longer distances (~50 m) than 802.11g. Use of legacy wired networks (especially
in consumer applications) is expected to decline sharply as the common 100 Mbit/s speed is surpassed and users no longer need to worry
about running wires to attain high bandwidth. That being said, some vendors are quick to market even though the standard has not been
ratified (which means it could and probably will change a bit). Vendors that currently support some form of 802.11n include:
 Aruba Networks
 Cisco Systems
 Colubris Networks
 Meru Networks
 Motorola / Symbol Technologies
 Trapeze Networks
The IEEE 802.11n standard is continuing to evolve and no document can keep up with new developments. Make sure you vet
vendors against the evolving standard.
P a g e | 14

CHAPTER 6
LET THE GOOD GUYS IN AND KEEP THE BAD GUYS OUT:
NETWORK SECURITY
A recent Forrester IT management report indicated that the number one challenge for network engineers is security. And it’s been the number
one challenge 10 years running. The good news is that solutions are getting stronger and there is no shortage of vendors. In fact, there are
over 300 vendors of security software and services that provide solutions to companies ranging from small businesses to the Fortune 500.
Unified Threat Management (a.k.a. Firewalls on Steroids)

Firewalls are at the core of most corporate security strategies. A firewall is a device or set of devices configured to permit, deny, encrypt, or
proxy all computer traffic between different security domains based upon a set of rules and other criteria. Usually a firewall is a dedicated
appliance or machine running firewall software that inspects network traffic passing through it, and denies or permits passage based on a set of
rules.
Firewalls, for obvious reasons, are deployed mainly at the perimeter of the network and typically protect a network from intrusion via outside
links (most times the Internet). Generally, in larger more complex networks, firewalls are also placed intra-network to protect corporate
resources from internal threats – both unintentional and malicious.
Unified Threat Management (UTM) is used to describe network Top market share 2007 - Network
firewalls that have many features in one box, including e-mail spam Security:
filtering, anti-virus capability, an intrusion detection (or prevention)  Cisco
system (IDS or IPS), and World Wide Web content filtering, along  Juniper
with the traditional activities of a firewall. These firewalls use proxies  Check Point
to process and forward all incoming traffic, though they can still  Nortel
frequently work in a transparent mode that disguises this fact. Higher-
 Secure Computing
level inspection can be disabled so that the firewall functions like a
much simpler network address translation (NAT) gateway.
 Fortinet
 SonicWALL
Deep Packet Inspection  ISS
Deep packet inspection (DPI) is a form of computer network packet filtering that examines the data and/or header part of a packet as it passes
an inspection point (usually a firewall or UTM device), searching for non-protocol compliance, viruses, spam, intrusions or predefined criteria to
decide if the packet can pass or needs to be routed to a different destination, or for the purpose of collecting statistical information. This is in
contrast to shallow packet inspection (usually called just packet inspection) which just checks the header portion of a packet. Deep packet
inspection (and filtering) enables advanced security functions and most firewalls today contain this capability.
Application Firewall
While most firewalls control the flow of data, application firewalls control the execution of data. This is especially important for corporate
networks that reside in the cloud, such as web applications. An application firewall limits the access which software applications have to the
operating system services, and consequently to the internal hardware resources found in a computer, much as a firewall between apartments
in a residential building limits access of heat, or even fire, to the residents on either side.
It has become common place and industry standard to deploy application firewalls in addition to traditional network firewalls,
however many network firewalls have begun to include application firewall features and, similar to routers and switches, the
differences between the two are becoming more gray. When making a purchasing decision first think about your business
requirement, then think about the potential incremental cost of combining both functions into one device – it will save time and money down the
road, as you will have one less hardware device to maintain and support.
P a g e | 15

Network Access Control (NAC)

Network Access Control (NAC) is an approach to computer network security that attempts to unify endpoint security technology (such as
antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement.
Because NAC represents an emerging category of security products, its definition is both evolving and controversial. The overarching goals of
the concept can be distilled to:
• Mitigation of zero-day attacks - The key value proposition of NAC solutions is the ability to prevent end-stations that lack antivirus, patches, or
host intrusion prevention software from accessing the network and placing other computers at risk of cross-contamination of network worms.
• Policy enforcement - NAC solutions allow network operators to define policies, such as the types of computers or roles of users allowed to
access areas of the network, and enforce them in switches, routers, and network middle boxes.
• Identity and access management - Where conventional IP networks enforce access policies in terms of IP addresses, NAC environments
attempt to do so based on authenticated user identities, at least for user end-stations such as laptops and desktop computers.
Deployment
When organizations have a local IT department and perhaps one office, many times network access control at the end point is sufficient.
However, larger networks with WAN connections and remote offices and users need to think on a more global basis. There are three common
installations of NAC solutions:
1. Inline NAC: For most businesses an in-line NAC appliance installed locally is the best deployment. Examples include the
SonicWALL Aventail series of appliances. The only downside to this scenario is that all network traffic must traverse the NAC and
therefore the IT admin is perhaps increasing risk of losing access control in the event of appliance failure. The benefit is easy
deployment that won’t break the bank. From a network management perspective, it also means less ‘nodes’ to monitor and manage.
As with all appliances it makes sense to ensure that your NAC device supports SNMP and it is enabled.
2. Out-of-band NAC: For medium-to-large organizations an out-of-band NAC appliance is the better solution because only the psture
assessment traffic will traverse the NAC appliance.
3. DHCP registration: For larger enterprises, DHCP (dynamic host configuration protocol) registration, along with an out-of-band NAC
mentioned in number two is the best approach. This approach will dynamically assign IP addresses to endpoints.
Challenges
How to integrate NAC with the existing workstation login procedures represents a key challenge, especially if workstation login requires
network access. For example, if workstation authentication is tied to LDAP (lightweight directory access protocol) or Active Directory (AD), then
cached credentials must be used and login scripts may need to be adjusted to allow for the delay of the posture assessment phase.
The login process can also be complicated by third-party security software (such as VPN clients and two-factor authentication products like
SecurlD) and remote control software (for example, pcAnywhere and WinVNC).
Other challenges include:
• Supporting software that runs at boot time, in unattended mode or before workstation login, such as Preboot execution Environment (PXE) or
Wake-on-LAN (WoL).
• Supporting non-workstation network devices such as VoIP phones and network printers. Will such devices be configured as exceptions to
NAC rules and, if so, how will the network defend against a malicious user who spoofs a trusted device's network settings?
• Designing and testing the NAC network. With all its complexity and software interdependence, the NAC should never be implemented without
first testing the design in a proper lab environment with real workstations, printers, VoIP phones and other devices. Not all organizations have
such lab environments.
• Detecting unauthorized NAT routers. If just one device connected to a NAT router passes posture assessment, all other devices attached to
that router will also be allowed in, undermining security policy. RF signatures make detection of wireless routers relatively straightforward, but
wired routers are far more difficult to find.
P a g e | 16

CHAPTER 7
TYING “IT” ALL TOGETHER:
NETWORK MANAGEMEMENT SOFTWARE
Network Management Software is a term used to describe a broad subject of managing computer networks. There exists a wide variety of
software and hardware products that help network system administrators manage a network. Generally, however, network management
covers:
 Security: Ensuring that the network is protected from
unauthorized users.
 Performance: Eliminating bottlenecks in the network.
 Reliability: Making sure the network is available to users and
responding to hardware and software malfunctions.
Specific functions that are performed as part of network management
include controlling, planning, allocating, deploying, coordinating and
monitoring the resources of a network, network planning, frequency
allocation, predetermined traffic routing to support load balancing,
cryptographic key distribution authorization, configuration management, fault
management, security management, performance management, bandwidth Figure 2: Network Management System
management, and accounting management. Functions
When thinking through a network management system, you need to first think about support for your devices. That is, does the
network management system you’re using support not just Cisco, but the vendors and product families within your production
environments? Beyond devices, network management systems should support critical applications (i.e., SQL Server, MS
Exchange), storage units from any number of vendors (including Storage Area Networks), physical and virtual servers, and
bandwidth management.
A simple way to categorize network management software is the table below:
Network Management Server Management Application

Management
Description Detect, diagnose and Improve availability and Identify and resolve
resolve network performance of your Server application performance
performance issues before infrastructure and gain in- issues before they impact
they turn into costly depth visibility into Server end users.
downtime. problems.
Application 1. WAN Management 1. Server Management 1. Exchange Management
Examples 2. Switch / Router / Hub 2. Administrative 2. SQL Management
(Configuration) Management (see 3. URL Monitoring
Management) FCAPS)
3. Traffic / Bandwidth 3. Services Management
Management
P a g e | 17

FCAPS
The baseline of most Network Management Systems is the support of FCAPS. FCAPS is the ISO Telecommunications Management Network
model and framework for network management. FCAPS is an acronym for Fault, Configuration, Accounting, Performance, Security which are
the management categories into which the ISO model defines network management tasks. In non-billing organizations Accounting is usually
replaced with Administration.
Fault Management
A fault is an event which has a negative significance. The goal of fault management is to recognize, isolate, correct and log faults that occur in
the network. Furthermore, it uses trend analysis to predict errors so that the network is always available. This can be established by monitoring
different things for abnormal behavior.
When a fault or event occurs, a network component will often send a notification to the network operator using a proprietary or open protocol
such as SNMP, or at least write a message to its console for a console server to catch and log/page. This notification is supposed to trigger
automatic or manual activities such as the gathering of more data to identify the nature and severity of the problem or to bring specific down
equipment back on-line.
When choosing network management software, consider using a system that supports automatic remediation. It’s one thing to alert
the network engineer when a fault occurs, it’s better when the system can automatically remediate the problem. For example, a
server goes haywire every so often blowing through memory. You can’t seem to solve the problem, but you know that a reboot will
at least plug the hole for a few weeks at a time. Strong network management software will notify you that the fault has occurred, and also
reboot the machine automatically.
Configuration Management
Configuration management is the process of managing firmware versions and configurations of the firmware on managed devices. This include
gathering and storing configurations, backing up configurations, tracking changes of configurations, and creating policies to mass update
configurations.
Make sure your NMS supports mass updates of configurations across a pool of devices. Some network management systems will
allow the user to create a ‘policy’ of devices so mass configuration updates / changes can be implemented at the click of a button.
Accounting / Administrative Management
Accounting Management refers to ‘accounting for’ usage of typical storage devices. This includes statistics on disk usage, memory usage,
bandwidth / application usage, and CPU time. Accounting Management is a term often used by companies that need to account for usage as it
relates to billing activities. For this reason, most IT organizations that do not need stats for billing instead call this category Administrative
Management. Maintaining statistics on server vitals, for example, is a foundation component of all strong network management systems.
Combining Administration Management with system alerts allows the user of the system to receive notification (SMS / email) when a statistic is
outside of expected behavior.
Performance Management
Performance management enables the network manager to prepare the network for the future, as well as to determine the efficiency of the
current network. Performance Management addresses the throughput, percentage utilization, error rates and response times areas. By
collecting and analyzing performance data, the network health can be monitored. Trends can indicate capacity or reliability issues before they
become service affecting. Performance thresholds can be set in order to trigger an alarm.
P a g e | 18

All strong network management systems use common protocols such as Cisco Netflow to monitor network traffic. Further, the
network management system should have a database where historical network behavior can be collected and stored for regression,
time-series, and trend analysis.
Security Management
Security management is the process of controlling access to assets in the network (see Security Section).
SNMP and WMI

SNMP is a standard TCP/IP protocol for network management.
Network administrators use SNMP to monitor and map network Network Management System
availability, performance, and error rates. Vendors:
To work with SNMP, network devices utilize a distributed data HP
store called the Management Information Base (MIB). All SNMP
PacketTrap Networks
compliant devices contain a MIB which supplies the pertinent
attributes of a device. Some attributes are fixed or "hard coded" in IBM / Tivoli
the MIB while others are dynamic values calculated by agent Computer Associates
software running on the device.
Enterprise network management software such as HP OpenView and PacketTrap Perspective™ use SNMP commands to read and write
data in each device MIB. "Get" commands typically retrieve data values, while "Set" commands typically initiate some action on the device. For
example, the "system reboot" command is often implemented by defining a particular MIB attribute and issuing an SNMP Set from the manager
software to write a "reboot" value into that attribute.
The SNMPv3 specification was recently released in an attempt to address the problems with SNMPv1 and SNMPv2 and allow administrators to
move to one common SNMP standard. SNMPv1 supports primarily TCP/IP networks. Ensure that your network management system supports
SNMPv3.
WMI is an acronym for Windows Management Instrumentation / Interface (MS, Windows, WMI, CIM). As it relates to network management,
WMI is a protocol to pull system meta data from Microsoft Windows devices, most notably operating system and software version data. While
SNMP can pull limited data from Windows machines, WMI is required to pull detailed software inventories from these same nodes.
Therefore it’s imperative when evaluating a comprehensive network management system that it supports WMI. Most
Network Management Systems do not support WMI. Find one that does.
Vetting Network Management System Vendors

Network Management Systems (NMS) come at many price and functionality points, and in several delivery models. Low end network
management systems can be purchased for less than several thousand dollars while higher end solutions can top $100k. Add in customization
and the investment can skyrocket. Delivery models include:
Software: Installed usually on a dedicated server running a non proprietary database such as SQL Sever or Oracle.
Appliance: Delivered via an all-in-one hardware unit.
Virtual Appliance: Delivered as software, but runs virtually within a virtualized environment.
There are many advantages and disadvantages to each model, however most organizations tend to deploy the “Software” version of network
management solutions.
The trick in selecting a vendor is defining specific functionality requirements. HP Openview, for example, can solve the network management
challenges of the largest disparate corporate networks in the world, but may be overkill for middle market and smaller companies. Open Source
network management solutions such as Nagios are flexible and free, but unfortunately they lack strong dedicated support and are many times
difficult to customize and maintain.
P a g e | 19

Network management systems out of the box sometimes lack device support for even the most common hardware such as the Cisco ASA line.
Usually it’s because a MIB or OID is out of date. If that’s the case vendor support is required. How quickly a vendor can churn out support for a
device is usually the defining difference in the user’s experience and opinion of the system. Quick turn around by vendors on device support is
essential. Some vendors provide custom MIB compilers that allow you to insert your own MIBs.
Another consideration is the robustness of the user experience. Most network management systems are clunky, difficult to configure, and
needlessly complex. A fluid user experience can ensure the network engineer continues to count on the system. There are too many
implementations of HP Openview where only 20% of functionality is used and the company is paying annual maintenance fees in the tens of
thousands. Sometimes, network management systems are inherited from previous leaders of the IT department and the system has not been
maintained. In this case the initial user experience can be dreadful because of out of date configurations and device support. For this reason,
find a vendor that not only spends time on delivering to the market core product functionality, but also spends as much time helping it’s
customers through maintenance of the system.
Minimizing false positive alerts is core to a network management system. For this reason, the NMS should include functionality to support a
data baseline customized to the network. Most systems on the market today allow alerts triggered on thresholds, however this creates false
positives when thresholds are exceeded for an expected reason. For example, if company X opens their office every morning at 9am, network
traffic may spike as expected behavior because many workers are logging on at the same time. If the traffic spikes at 11am to the same level
as 9am, perhaps that means there is a problem, however. Therefore, setting a threshold alert on the 11am spike level will undoubtedly trigger a
false positive alert at 9am the next morning. False positives are a top complaint of network engineers. The solution is a network management
system that allows the network engineer to set a baseline of expected network behavior throughout the day. Then, when an unexpected spike
occurs, automatic or manual remediation can take place.
The goal of network management systems is to make managing a set of rather complex components and processes easy. This is
hard to do because every network is different. For this reason, vendor support is crucial. Find a vendor that can help you be
successful. Find a vendor that can help you manage your systems. Find a vendor that wants to be your partner and doesn’t view
you as a burden on their support organization’s expense line. After all, you don’t want to be stuck on hold for two hours because
your NMS is the problem instead of the solution. Network Management Systems are supposed to help you manage your network, not make
your network more complicated. High touch vendor support is critical.
Corporate Headquarters
118 2nd Street, 6TH FL
1-866-My-pt360 (1-866-697-8360)
www.PacketTrap.com
Learn more about network management solutions at www.PacketTrap.com.
P a g e | 20

Network Essentials

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Network Essentials

Diunggah oleh

Hak Cipta:

Format Tersedia

PacketTrap Networks

3 IT’S NOT ABOUT TODAY, IT’S ABOUT

5 NETWORK DNA: THE BUIDING

14 IT’S IN THE AIR: WIRELESS

16 LET THE GOOD GUYS IN AND KEEP

LEGAL NOTICE AND ACKNOWLEDGEMENTS

© Copyright 2008, PacketTrap Networks

Analyzing Operational Requirements

Future Network Consideration Implementation Thought Requirements

© Copyright 2008, PacketTrap Networks

Governance, Risk and Compliance Responsibilities

© Copyright 2008, PacketTrap Networks

Power over Ethernet (PoE)

PoE is enabled using either an end-span or mid-span

Figure 1: Examples of PoE Appliances

© Copyright 2008, PacketTrap Networks

Hubs vs. Switches vs. Routers

© Copyright 2008, PacketTrap Networks

Quality of Service (QoS)

 IPTV offered as a service from a service provider such as AT&T's U-verse

 Video Teleconferencing (VTC) requires low jitter and latency

Priority Traffic Type

© Copyright 2008, PacketTrap Networks

© Copyright 2008, PacketTrap Networks

Content Networking Appliances

Email Spam Appliances

Load Balancing Appliances

Load Balancers can come with a variety of special features:

© Copyright 2008, PacketTrap Networks

SSL Accelerator Appliances

© Copyright 2008, PacketTrap Networks

WIDE AREA NETWORKS

Ethernet WAN and MAN Services

Point-to-point Leased Lines

© Copyright 2008, PacketTrap Networks

Frame Relay and ATM

© Copyright 2008, PacketTrap Networks

© Copyright 2008, PacketTrap Networks

© Copyright 2008, PacketTrap Networks

Unified Threat Management (a.k.a. Firewalls on Steroids)

© Copyright 2008, PacketTrap Networks

Network Access Control (NAC)

© Copyright 2008, PacketTrap Networks

A simple way to categorize network management software is the table below:

Network Management Server Management Application

© Copyright 2008, PacketTrap Networks

Accounting / Administrative Management

© Copyright 2008, PacketTrap Networks

SNMP and WMI

Vetting Network Management System Vendors

© Copyright 2008, PacketTrap Networks

Learn more about network management solutions at www.PacketTrap.com.

© Copyright 2008, PacketTrap Networks

Anda mungkin juga menyukai